<!DOCTYPE html>
<html class='v2' dir='ltr' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'>
<head>
<link href='https://www.blogger.com/static/v1/widgets/1529571102-css_bundle_v2.css' rel='stylesheet' type='text/css'/>
<meta content='IE=EmulateIE7' http-equiv='X-UA-Compatible'/>
<meta content='width=1100' name='viewport'/>
<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>
<meta content='blogger' name='generator'/>
<link href='https://blog.malwaremustdie.org/favicon.ico' rel='icon' type='image/x-icon'/>
<link href='https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html' rel='canonical'/>
<link rel="alternate" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://blog.malwaremustdie.org/feeds/posts/default" />
<link rel="alternate" type="application/rss+xml" title="Malware Must Die! - RSS" href="https://blog.malwaremustdie.org/feeds/posts/default?alt=rss" />
<link rel="service.post" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://www.blogger.com/feeds/8268358095554400245/posts/default" />

<link rel="alternate" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://blog.malwaremustdie.org/feeds/986273841544985370/comments/default" />
<!--[if IE]><script type="text/javascript" src="https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js"></script>
<![endif]-->
<link href='https://lh3.googleusercontent.com/dxOB7ZuVg-fBrRmstt3EmVsaleV_-P9L6HxsIHK5w3puttv_w8pBzUM3sao1qFynjKVehsyIqcuW3dtU-sfUmA3l6TXGot255o7mfQ_tKl2KDS3XZ6s9_8vTKbVwK81VjsnENa4y32U=w300-h810-no' rel='image_src'/>
<meta content='https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html' property='og:url'/>
<meta content='MMD-0064-2019 - Linux/AirDropBot' property='og:title'/>
<meta content='MalwareMustDie (MMD) is a whitehat workgroup to reduce malware, this blog advocates research on new malware threats &amp; Linux malware.' property='og:description'/>
<meta content='https://lh3.googleusercontent.com/dxOB7ZuVg-fBrRmstt3EmVsaleV_-P9L6HxsIHK5w3puttv_w8pBzUM3sao1qFynjKVehsyIqcuW3dtU-sfUmA3l6TXGot255o7mfQ_tKl2KDS3XZ6s9_8vTKbVwK81VjsnENa4y32U=w1200-h630-p-k-no-nu' property='og:image'/>
<!--[if IE]> <script> (function() { var html5 = ("abbr,article,aside,audio,canvas,datalist,details," + "figure,footer,header,hgroup,mark,menu,meter,nav,output," + "progress,section,time,video").split(','); for (var i = 0; i < html5.length; i++) { document.createElement(html5[i]); } try { document.execCommand('BackgroundImageCache', false, true); } catch(e) {} })(); </script> <![endif]-->
<title>Malware Must Die!: MMD-0064-2019 - Linux/AirDropBot</title>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async='async' src='https://www.googletagmanager.com/gtag/js?id=UA-180537376-1'></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-180537376-1');
</script>
<style id='page-skin-1' type='text/css'><!--
/*
-----------------------------------------------
Blogger Template Style
Name:     Awesome Inc.
Designer: Tina Chen
----------------------------------------------- */
/* Variable definitions
====================
<Variable name="keycolor" description="Main Color" type="color" default="#ffffff"/>
<Group description="Page" selector="body">
<Variable name="body.font" description="Font" type="font"
default="normal normal 13px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="body.background.color" description="Background Color" type="color" default="#000000"/>
<Variable name="body.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Links" selector=".main-inner">
<Variable name="link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Blog Title" selector=".header h1">
<Variable name="header.font" description="Title Font" type="font"
default="normal bold 40px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="header.text.color" description="Title Color" type="color" default="#ffffff" />
<Variable name="header.background.color" description="Header Background" type="color" default="transparent" />
</Group>
<Group description="Blog Description" selector=".header .description">
<Variable name="description.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="description.text.color" description="Text Color" type="color"
default="#ffffff" />
</Group>
<Group description="Tabs Text" selector=".tabs-inner .widget li a">
<Variable name="tabs.font" description="Font" type="font"
default="normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="tabs.text.color" description="Text Color" type="color" default="#ffffff"/>
<Variable name="tabs.selected.text.color" description="Selected Color" type="color" default="#ffffff"/>
</Group>
<Group description="Tabs Background" selector=".tabs-outer .PageList">
<Variable name="tabs.background.color" description="Background Color" type="color" default="#141414"/>
<Variable name="tabs.selected.background.color" description="Selected Color" type="color" default="#444444"/>
<Variable name="tabs.border.color" description="Border Color" type="color" default="#222222"/>
</Group>
<Group description="Date Header" selector=".main-inner .widget h2.date-header, .main-inner .widget h2.date-header span">
<Variable name="date.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="date.text.color" description="Text Color" type="color" default="#666666"/>
<Variable name="date.border.color" description="Border Color" type="color" default="#222222"/>
</Group>
<Group description="Post Title" selector="h3.post-title, h4, h3.post-title a">
<Variable name="post.title.font" description="Font" type="font"
default="normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="post.title.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Post Background" selector=".post">
<Variable name="post.background.color" description="Background Color" type="color" default="#141414" />
<Variable name="post.border.color" description="Border Color" type="color" default="#222222" />
<Variable name="post.border.bevel.color" description="Bevel Color" type="color" default="#222222"/>
</Group>
<Group description="Gadget Title" selector="h2">
<Variable name="widget.title.font" description="Font" type="font"
default="normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="widget.title.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Gadget Text" selector=".sidebar .widget">
<Variable name="widget.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="widget.text.color" description="Text Color" type="color" default="#ffffff"/>
<Variable name="widget.alternate.text.color" description="Alternate Color" type="color" default="#666666"/>
</Group>
<Group description="Gadget Links" selector=".sidebar .widget">
<Variable name="widget.link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="widget.link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="widget.link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Gadget Background" selector=".sidebar .widget">
<Variable name="widget.background.color" description="Background Color" type="color" default="#141414"/>
<Variable name="widget.border.color" description="Border Color" type="color" default="#222222"/>
<Variable name="widget.border.bevel.color" description="Bevel Color" type="color" default="#000000"/>
</Group>
<Group description="Sidebar Background" selector=".column-left-inner .column-right-inner">
<Variable name="widget.outer.background.color" description="Background Color" type="color" default="transparent" />
</Group>
<Group description="Images" selector=".main-inner">
<Variable name="image.background.color" description="Background Color" type="color" default="transparent"/>
<Variable name="image.border.color" description="Border Color" type="color" default="transparent"/>
</Group>
<Group description="Feed" selector=".blog-feeds">
<Variable name="feed.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Feed Links" selector=".blog-feeds">
<Variable name="feed.link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="feed.link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="feed.link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Pager" selector=".blog-pager">
<Variable name="pager.background.color" description="Background Color" type="color" default="#141414" />
</Group>
<Group description="Footer" selector=".footer-outer">
<Variable name="footer.background.color" description="Background Color" type="color" default="#141414" />
<Variable name="footer.text.color" description="Text Color" type="color" default="#ffffff" />
</Group>
<Variable name="title.shadow.spread" description="Title Shadow" type="length" default="-1px" min="-1px" max="100px"/>
<Variable name="body.background" description="Body Background" type="background"
color="#000000"
default="$(color) none repeat scroll top left"/>
<Variable name="body.background.gradient.cap" description="Body Gradient Cap" type="url"
default="none"/>
<Variable name="body.background.size" description="Body Background Size" type="string" default="auto"/>
<Variable name="tabs.background.gradient" description="Tabs Background Gradient" type="url"
default="none"/>
<Variable name="header.background.gradient" description="Header Background Gradient" type="url" default="none" />
<Variable name="header.padding.top" description="Header Top Padding" type="length" default="22px" min="0" max="100px"/>
<Variable name="header.margin.top" description="Header Top Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="header.margin.bottom" description="Header Bottom Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="widget.padding.top" description="Widget Padding Top" type="length" default="8px" min="0" max="20px"/>
<Variable name="widget.padding.side" description="Widget Padding Side" type="length" default="15px" min="0" max="100px"/>
<Variable name="widget.outer.margin.top" description="Widget Top Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="widget.outer.background.gradient" description="Gradient" type="url" default="none" />
<Variable name="widget.border.radius" description="Gadget Border Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="outer.shadow.spread" description="Outer Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="date.header.border.radius.top" description="Date Header Border Radius Top" type="length" default="0" min="0" max="100px"/>
<Variable name="date.header.position" description="Date Header Position" type="length" default="15px" min="0" max="100px"/>
<Variable name="date.space" description="Date Space" type="length" default="30px" min="0" max="100px"/>
<Variable name="date.position" description="Date Float" type="string" default="static" />
<Variable name="date.padding.bottom" description="Date Padding Bottom" type="length" default="0" min="0" max="100px"/>
<Variable name="date.border.size" description="Date Border Size" type="length" default="0" min="0" max="10px"/>
<Variable name="date.background" description="Date Background" type="background" color="transparent"
default="$(color) none no-repeat scroll top left" />
<Variable name="date.first.border.radius.top" description="Date First top radius" type="length" default="0" min="0" max="100px"/>
<Variable name="date.last.space.bottom" description="Date Last Space Bottom" type="length"
default="20px" min="0" max="100px"/>
<Variable name="date.last.border.radius.bottom" description="Date Last bottom radius" type="length" default="0" min="0" max="100px"/>
<Variable name="post.first.padding.top" description="First Post Padding Top" type="length" default="0" min="0" max="100px"/>
<Variable name="image.shadow.spread" description="Image Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="image.border.radius" description="Image Border Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="separator.outdent" description="Separator Outdent" type="length" default="15px" min="0" max="100px"/>
<Variable name="title.separator.border.size" description="Widget Title Border Size" type="length" default="1px" min="0" max="10px"/>
<Variable name="list.separator.border.size" description="List Separator Border Size" type="length" default="1px" min="0" max="10px"/>
<Variable name="shadow.spread" description="Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="startSide" description="Side where text starts in blog language" type="automatic" default="left"/>
<Variable name="endSide" description="Side where text ends in blog language" type="automatic" default="right"/>
<Variable name="date.side" description="Side where date header is placed" type="string" default="right"/>
<Variable name="pager.border.radius.top" description="Pager Border Top Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="pager.space.top" description="Pager Top Space" type="length" default="1em" min="0" max="20em"/>
<Variable name="footer.background.gradient" description="Background Gradient" type="url" default="none" />
<Variable name="mobile.background.size" description="Mobile Background Size" type="string"
default="auto"/>
<Variable name="mobile.background.overlay" description="Mobile Background Overlay" type="string"
default="transparent none repeat scroll top left"/>
<Variable name="mobile.button.color" description="Mobile Button Color" type="color" default="#ffffff" />
*/
/* Content
----------------------------------------------- */
body {
font: normal normal 13px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
background: #000000 none no-repeat scroll center center;
}
html body .content-outer {
min-width: 0;
max-width: 100%;
width: 100%;
}
a:link {
text-decoration: none;
color: #888888;
}
a:visited {
text-decoration: none;
color: #444444;
}
a:hover {
text-decoration: underline;
color: #cccccc;
}
.body-fauxcolumn-outer .cap-top {
position: absolute;
z-index: 1;
height: 276px;
width: 100%;
background: transparent none repeat-x scroll top left;
_background-image: none;
}
/* Columns
----------------------------------------------- */
.content-inner {
padding: 0;
}
.header-inner .section {
margin: 0 16px;
}
.tabs-inner .section {
margin: 0 16px;
}
.main-inner {
padding-top: 30px;
}
.main-inner .column-center-inner,
.main-inner .column-left-inner,
.main-inner .column-right-inner {
padding: 0 5px;
}
*+html body .main-inner .column-center-inner {
margin-top: -30px;
}
#layout .main-inner .column-center-inner {
margin-top: 0;
}
/* Header
----------------------------------------------- */
.header-outer {
margin: 0 0 0 0;
background: transparent none repeat scroll 0 0;
}
.Header h1 {
font: normal bold 40px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
text-shadow: 0 0 -1px #000000;
}
.Header h1 a {
color: #ffffff;
}
.Header .description {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
.header-inner .Header .titlewrapper,
.header-inner .Header .descriptionwrapper {
padding-left: 0;
padding-right: 0;
margin-bottom: 0;
}
.header-inner .Header .titlewrapper {
padding-top: 22px;
}
/* Tabs
----------------------------------------------- */
.tabs-outer {
overflow: hidden;
position: relative;
background: #141414 none repeat scroll 0 0;
}
#layout .tabs-outer {
overflow: visible;
}
.tabs-cap-top, .tabs-cap-bottom {
position: absolute;
width: 100%;
border-top: 1px solid #222222;
}
.tabs-cap-bottom {
bottom: 0;
}
.tabs-inner .widget li a {
display: inline-block;
margin: 0;
padding: .6em 1.5em;
font: normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
border-top: 1px solid #222222;
border-bottom: 1px solid #222222;
border-left: 1px solid #222222;
height: 16px;
line-height: 16px;
}
.tabs-inner .widget li:last-child a {
border-right: 1px solid #222222;
}
.tabs-inner .widget li.selected a, .tabs-inner .widget li a:hover {
background: #444444 none repeat-x scroll 0 -100px;
color: #ffffff;
}
/* Headings
----------------------------------------------- */
h2 {
font: normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
/* Widgets
----------------------------------------------- */
.main-inner .section {
margin: 0 27px;
padding: 0;
}
.main-inner .column-left-outer,
.main-inner .column-right-outer {
margin-top: 0;
}
#layout .main-inner .column-left-outer,
#layout .main-inner .column-right-outer {
margin-top: 0;
}
.main-inner .column-left-inner,
.main-inner .column-right-inner {
background: transparent none repeat 0 0;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
#layout .main-inner .column-left-inner,
#layout .main-inner .column-right-inner {
margin-top: 0;
}
.sidebar .widget {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
.sidebar .widget a:link {
color: #888888;
}
.sidebar .widget a:visited {
color: #444444;
}
.sidebar .widget a:hover {
color: #cccccc;
}
.sidebar .widget h2 {
text-shadow: 0 0 -1px #000000;
}
.main-inner .widget {
background-color: #141414;
border: 1px solid #222222;
padding: 0 15px 15px;
margin: 20px -16px;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
.main-inner .widget h2 {
margin: 0 -15px;
padding: .6em 15px .5em;
border-bottom: 1px solid #000000;
}
.footer-inner .widget h2 {
padding: 0 0 .4em;
border-bottom: 1px solid #000000;
}
.main-inner .widget h2 + div, .footer-inner .widget h2 + div {
border-top: 1px solid #222222;
padding-top: 8px;
}
.main-inner .widget .widget-content {
margin: 0 -15px;
padding: 7px 15px 0;
}
.main-inner .widget ul, .main-inner .widget #ArchiveList ul.flat {
margin: -8px -15px 0;
padding: 0;
list-style: none;
}
.main-inner .widget #ArchiveList {
margin: -8px 0 0;
}
.main-inner .widget ul li, .main-inner .widget #ArchiveList ul.flat li {
padding: .5em 15px;
text-indent: 0;
color: #666666;
border-top: 1px solid #222222;
border-bottom: 1px solid #000000;
}
.main-inner .widget #ArchiveList ul li {
padding-top: .25em;
padding-bottom: .25em;
}
.main-inner .widget ul li:first-child, .main-inner .widget #ArchiveList ul.flat li:first-child {
border-top: none;
}
.main-inner .widget ul li:last-child, .main-inner .widget #ArchiveList ul.flat li:last-child {
border-bottom: none;
}
.post-body {
position: relative;
}
.main-inner .widget .post-body ul {
padding: 0 2.5em;
margin: .5em 0;
list-style: disc;
}
.main-inner .widget .post-body ul li {
padding: 0.25em 0;
margin-bottom: .25em;
color: #ffffff;
border: none;
}
.footer-inner .widget ul {
padding: 0;
list-style: none;
}
.widget .zippy {
color: #666666;
}
/* Posts
----------------------------------------------- */
body .main-inner .Blog {
padding: 0;
margin-bottom: 1em;
background-color: transparent;
border: none;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
box-shadow: 0 0 0 rgba(0, 0, 0, 0);
}
.main-inner .section:last-child .Blog:last-child {
padding: 0;
margin-bottom: 1em;
}
.main-inner .widget h2.date-header {
margin: 0 -15px 1px;
padding: 0 0 0 0;
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #666666;
background: transparent none no-repeat scroll top left;
border-top: 0 solid #222222;
border-bottom: 1px solid #000000;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius: 0;
position: static;
bottom: 100%;
right: 15px;
text-shadow: 0 0 -1px #000000;
}
.main-inner .widget h2.date-header span {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
display: block;
padding: .5em 15px;
border-left: 0 solid #222222;
border-right: 0 solid #222222;
}
.date-outer {
position: relative;
margin: 30px 0 20px;
padding: 0 15px;
background-color: #141414;
border: 1px solid #222222;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
.date-outer:first-child {
margin-top: 0;
}
.date-outer:last-child {
margin-bottom: 20px;
-moz-border-radius-bottomleft: 0;
-moz-border-radius-bottomright: 0;
-webkit-border-bottom-left-radius: 0;
-webkit-border-bottom-right-radius: 0;
-goog-ms-border-bottom-left-radius: 0;
-goog-ms-border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
border-bottom-right-radius: 0;
}
.date-posts {
margin: 0 -15px;
padding: 0 15px;
clear: both;
}
.post-outer, .inline-ad {
border-top: 1px solid #222222;
margin: 0 -15px;
padding: 15px 15px;
}
.post-outer {
padding-bottom: 10px;
}
.post-outer:first-child {
padding-top: 0;
border-top: none;
}
.post-outer:last-child, .inline-ad:last-child {
border-bottom: none;
}
.post-body {
position: relative;
}
.post-body img {
padding: 8px;
background: #222222;
border: 1px solid transparent;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
border-radius: 0;
}
h3.post-title, h4 {
font: normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
h3.post-title a {
font: normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
h3.post-title a:hover {
color: #cccccc;
text-decoration: underline;
}
.post-header {
margin: 0 0 1em;
}
.post-body {
line-height: 1.4;
}
.post-outer h2 {
color: #ffffff;
}
.post-footer {
margin: 1.5em 0 0;
}
#blog-pager {
padding: 15px;
font-size: 120%;
background-color: #141414;
border: 1px solid #222222;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
-goog-ms-border-top-left-radius: 0;
-goog-ms-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius-topright: 0;
margin-top: 1em;
}
.blog-feeds, .post-feeds {
margin: 1em 0;
text-align: center;
color: #ffffff;
}
.blog-feeds a, .post-feeds a {
color: #888888;
}
.blog-feeds a:visited, .post-feeds a:visited {
color: #444444;
}
.blog-feeds a:hover, .post-feeds a:hover {
color: #cccccc;
}
.post-outer .comments {
margin-top: 2em;
}
/* Comments
----------------------------------------------- */
.comments .comments-content .icon.blog-author {
background-repeat: no-repeat;
background-image: url();
}
.comments .comments-content .loadmore a {
border-top: 1px solid #222222;
border-bottom: 1px solid #222222;
}
.comments .continue {
border-top: 2px solid #222222;
}
/* Footer
----------------------------------------------- */
.footer-outer {
margin: -0 0 -1px;
padding: 0 0 0;
color: #ffffff;
overflow: hidden;
}
.footer-fauxborder-left {
border-top: 1px solid #222222;
background: #141414 none repeat scroll 0 0;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
margin: 0 -0;
}
/* Mobile
----------------------------------------------- */
body.mobile {
background-size: auto;
}
.mobile .body-fauxcolumn-outer {
background: transparent none repeat scroll top left;
}
*+html body.mobile .main-inner .column-center-inner {
margin-top: 0;
}
.mobile .main-inner .widget {
padding: 0 0 15px;
}
.mobile .main-inner .widget h2 + div,
.mobile .footer-inner .widget h2 + div {
border-top: none;
padding-top: 0;
}
.mobile .footer-inner .widget h2 {
padding: 0.5em 0;
border-bottom: none;
}
.mobile .main-inner .widget .widget-content {
margin: 0;
padding: 7px 0 0;
}
.mobile .main-inner .widget ul,
.mobile .main-inner .widget #ArchiveList ul.flat {
margin: 0 -15px 0;
}
.mobile .main-inner .widget h2.date-header {
right: 0;
}
.mobile .date-header span {
padding: 0.4em 0;
}
.mobile .date-outer:first-child {
margin-bottom: 0;
border: 1px solid #222222;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
-goog-ms-border-top-left-radius: 0;
-goog-ms-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius: 0;
}
.mobile .date-outer {
border-color: #222222;
border-width: 0 1px 1px;
}
.mobile .date-outer:last-child {
margin-bottom: 0;
}
.mobile .main-inner {
padding: 0;
}
.mobile .header-inner .section {
margin: 0;
}
.mobile .post-outer, .mobile .inline-ad {
padding: 5px 0;
}
.mobile .tabs-inner .section {
margin: 0 10px;
}
.mobile .main-inner .widget h2 {
margin: 0;
padding: 0;
}
.mobile .main-inner .widget h2.date-header span {
padding: 0;
}
.mobile .main-inner .widget .widget-content {
margin: 0;
padding: 7px 0 0;
}
.mobile #blog-pager {
border: 1px solid transparent;
background: #141414 none repeat scroll 0 0;
}
.mobile .main-inner .column-left-inner,
.mobile .main-inner .column-right-inner {
background: transparent none repeat 0 0;
-moz-box-shadow: none;
-webkit-box-shadow: none;
-goog-ms-box-shadow: none;
box-shadow: none;
}
.mobile .date-posts {
margin: 0;
padding: 0;
}
.mobile .footer-fauxborder-left {
margin: 0;
border-top: inherit;
}
.mobile .main-inner .section:last-child .Blog:last-child {
margin-bottom: 0;
}
.mobile-index-contents {
color: #ffffff;
}
.mobile .mobile-link-button {
background: #888888 none repeat scroll 0 0;
}
.mobile-link-button a:link, .mobile-link-button a:visited {
color: #ffffff;
}
.mobile .tabs-inner .PageList .widget-content {
background: transparent;
border-top: 1px solid;
border-color: #222222;
color: #ffffff;
}
.mobile .tabs-inner .PageList .widget-content .pagelist-arrow {
border-left: 1px solid #222222;
}

--></style>
<style id='template-skin-1' type='text/css'><!--
body {
min-width: 960px;
}
.content-outer, .content-fauxcolumn-outer, .region-inner {
min-width: 960px;
max-width: 960px;
_width: 960px;
}
.main-inner .columns {
padding-left: 0px;
padding-right: 310px;
}
.main-inner .fauxcolumn-center-outer {
left: 0px;
right: 310px;
/* IE6 does not respect left and right together */
_width: expression(this.parentNode.offsetWidth -
parseInt("0px") -
parseInt("310px") + 'px');
}
.main-inner .fauxcolumn-left-outer {
width: 0px;
}
.main-inner .fauxcolumn-right-outer {
width: 310px;
}
.main-inner .column-left-outer {
width: 0px;
right: 100%;
margin-left: -0px;
}
.main-inner .column-right-outer {
width: 310px;
margin-right: -310px;
}
#layout {
min-width: 0;
}
#layout .content-outer {
min-width: 0;
width: 800px;
}
#layout .region-inner {
min-width: 0;
width: auto;
}
--></style>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async='async' src='https://www.googletagmanager.com/gtag/js?id=G-GGYD63MC07'></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'G-GGYD63MC07');
</script>
<link href='https://unixfreaxjp.github.io/styles/shCore.css' rel='stylesheet' type='text/css'/>
<link href='https://unixfreaxjp.github.io/styles/shThemeRDark.css' rel='stylesheet' type='text/css'/>
<script src='https://unixfreaxjp.github.io/scripts/shCore.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushCpp.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushCss.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushJava.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushJScript.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPhp.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPython.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushRuby.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushSql.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushVb.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushXml.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPerl.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPlain.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushBash.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushAsm.js' type='text/javascript'></script>
<script language='javascript'> 
// SyntaxHighlighter.config.bloggerMode = true;
SyntaxHighlighter.all();
</script>
<link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8268358095554400245&amp;zx=6d699317-e04a-4073-a8ed-9df5a54c7ce9' media='none' onload='if(media!=&#39;all&#39;)media=&#39;all&#39;' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8268358095554400245&amp;zx=6d699317-e04a-4073-a8ed-9df5a54c7ce9' rel='stylesheet'/></noscript>
<meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/>
<meta name='google-adsense-platform-domain' content='blogspot.com'/>

<script type="text/javascript" language="javascript">
  // Supply ads personalization default for EEA readers
  // See https://www.blogger.com/go/adspersonalization
  adsbygoogle = window.adsbygoogle || [];
  if (typeof adsbygoogle.requestNonPersonalizedAds === 'undefined') {
    adsbygoogle.requestNonPersonalizedAds = 1;
  }
</script>


</head>
<body class='loading'>
<div class='navbar section' id='navbar'><div class='widget Navbar' data-version='1' id='Navbar1'><script type="text/javascript">
    function setAttributeOnload(object, attribute, val) {
      if(window.addEventListener) {
        window.addEventListener('load',
          function(){ object[attribute] = val; }, false);
      } else {
        window.attachEvent('onload', function(){ object[attribute] = val; });
      }
    }
  </script>
<div id="navbar-iframe-container"></div>
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<script type="text/javascript">
      gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() {
        if (gapi.iframes && gapi.iframes.getContext) {
          gapi.iframes.getContext().openChild({
              url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d8268358095554400245\x26blogName\x3dMalware+Must+Die!\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dLIGHT\x26layoutType\x3dLAYOUTS\x26searchRoot\x3dhttps://blog.malwaremustdie.org/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttps://blog.malwaremustdie.org/\x26targetPostID\x3d986273841544985370\x26blogPostOrPageUrl\x3dhttps://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html\x26vt\x3d3906154817029782216',
              where: document.getElementById("navbar-iframe-container"),
              id: "navbar-iframe"
          });
        }
      });
    </script><script type="text/javascript">
(function() {
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = '//pagead2.googlesyndication.com/pagead/js/google_top_exp.js';
var head = document.getElementsByTagName('head')[0];
if (head) {
head.appendChild(script);
}})();
</script>
</div></div>
<div class='body-fauxcolumns'>
<div class='fauxcolumn-outer body-fauxcolumn-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<div class='content'>
<div class='content-fauxcolumns'>
<div class='fauxcolumn-outer content-fauxcolumn-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<div class='content-outer'>
<div class='content-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left content-fauxborder-left'>
<div class='fauxborder-right content-fauxborder-right'></div>
<div class='content-inner'>
<header>
<div class='header-outer'>
<div class='header-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left header-fauxborder-left'>
<div class='fauxborder-right header-fauxborder-right'></div>
<div class='region-inner header-inner'>
<div class='header section' id='header'><div class='widget Header' data-version='1' id='Header1'>
<div id='header-inner'>
<a href='https://blog.malwaremustdie.org/' style='display: block'>
<img alt='Malware Must Die!' height='77px; ' id='Header1_headerimg' src='https://2.bp.blogspot.com/-rrlkZ50FDJA/UERTcxL8i3I/AAAAAAAAFY8/F5vmhcrbLs4/s1600/MMD.JPG' style='display: block' width='395px; '/>
</a>
<div class='descriptionwrapper'>
<p class='description'><span>The MalwareMustDie Blog (blog.malwaremustdie.org)</span></p>
</div>
</div>
</div></div>
</div>
</div>
<div class='header-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</header>
<div class='tabs-outer'>
<div class='tabs-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left tabs-fauxborder-left'>
<div class='fauxborder-right tabs-fauxborder-right'></div>
<div class='region-inner tabs-inner'>
<div class='tabs no-items section' id='crosscol'></div>
<div class='tabs no-items section' id='crosscol-overflow'></div>
</div>
</div>
<div class='tabs-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='main-outer'>
<div class='main-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left main-fauxborder-left'>
<div class='fauxborder-right main-fauxborder-right'></div>
<div class='region-inner main-inner'>
<div class='columns fauxcolumns'>
<div class='fauxcolumn-outer fauxcolumn-center-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='fauxcolumn-outer fauxcolumn-left-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='fauxcolumn-outer fauxcolumn-right-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<!-- corrects IE6 width calculation -->
<div class='columns-inner'>
<div class='column-center-outer'>
<div class='column-center-inner'>
<div class='main section' id='main'><div class='widget Blog' data-version='1' id='Blog1'>
<div class='blog-posts hfeed'>

          <div class="date-outer">
        
<h2 class='date-header'><span>Saturday, September 28, 2019</span></h2>

          <div class="date-posts">
        
<div class='post-outer'>
<div class='post hentry' itemscope='itemscope' itemtype='https://schema.org/BlogPosting'>
<a name='986273841544985370'></a>
<h3 class='post-title entry-title' itemprop='name'>
MMD-0064-2019 - Linux/AirDropBot
</h3>
<div class='post-header'>
<div class='post-header-line-1'></div>
</div>
<div class='post-body entry-content' id='post-body-986273841544985370' itemprop='description articleBody'>
<p>
<h2>Prologue</h2>
<p>There are a lot of botnet aiming multiple architecture of Linux basis internet of thing, and this story is just one of them, but I haven't seen the one was coded like this before. 
<p>Like the most of other posts of our analysis reports in MalwareMustDie blog, this post has been started from a friend's request to take a look at a certain Linux executable malicious binary that was having a low (or no) detection, and at that time the binary hasn't been categorized into a correct threat ID.

<p>This time I decided to write the report along with my style on how to reverse engineering this sample, which is compiled in the MIPS processor architecture. 

<p>So I was sent with this MIPS 32bit binary ..
<pre class="brush: js">

cloudbot-mips: ELF 32-bit MSB executable, MIPS, MIPS-I 
version 1 (SYSV), statically linked, stripped

</pre>
..and according to its detection report in the Virus Total hash it is supposed to be a "Mirai-like" or Mirai variant malware, (thank's to good people for uploading the sample to VirusTotal). But the fact after my analysis is saying differently, <i><b>these are not Mirai, Remaiten, GafGyt (Qbot/Torlus base), Hajime, Luabots, nor China series DDoS binaries or Kaiten (or STD like)</b></i>. It is a newly coded Linux malware picking up several idea and codes from other known malware, including Mirai.
<br><a href=https://lh3.googleusercontent.com/dxOB7ZuVg-fBrRmstt3EmVsaleV_-P9L6HxsIHK5w3puttv_w8pBzUM3sao1qFynjKVehsyIqcuW3dtU-sfUmA3l6TXGot255o7mfQ_tKl2KDS3XZ6s9_8vTKbVwK81VjsnENa4y32U=w1271-h810-no><img src="https://lh3.googleusercontent.com/dxOB7ZuVg-fBrRmstt3EmVsaleV_-P9L6HxsIHK5w3puttv_w8pBzUM3sao1qFynjKVehsyIqcuW3dtU-sfUmA3l6TXGot255o7mfQ_tKl2KDS3XZ6s9_8vTKbVwK81VjsnENa4y32U=w300-h810-no"></a>

<p>This sample is just one of a series of badness, my honeypots, OSINT and a given information was leading me into <b>26 types of samples</b> that are meant to pwned series of <b>internet of thing (IoT) devices</b> running on Linux OS, and this MIPS-32 ELF binary one I received is just one of the flocks. 

<p>If you see the filenames you can guess some of those binaries are meant to aim specific IoT/router platforms and not only for several randomly cross-compiled architecture supported result. This type of binaries seem to be started appearing in the early August, 2019, in the internet.
<br>
<a href=https://lh3.googleusercontent.com/PfOoszwvHvBL5XA_RTTU5Oz05uXCLrSquVuOdYCymdu9hBRhBKhd9SdN5odUu4MuHsBYGduBkkIwEi0QJGSdS3oYNIdzXt50jH3M_0CsuPpgFUiFJEjHV__xTxgODZYx1KOtD0BmAxU=w1457-h627-no><img src="https://lh3.googleusercontent.com/PfOoszwvHvBL5XA_RTTU5Oz05uXCLrSquVuOdYCymdu9hBRhBKhd9SdN5odUu4MuHsBYGduBkkIwEi0QJGSdS3oYNIdzXt50jH3M_0CsuPpgFUiFJEjHV__xTxgODZYx1KOtD0BmAxU=w580-h627-no"></a>

<p>Below is the additional list of the compiled binaries meant to run on several non-Intel CPU running Linux operating systems, they can affect network devices like routers, bridges, switches, and other the small internet of things that we may already use on daily basis:<br>
<pre class="brush: cpp">
m68k-68xxx.cloudbot:   32-bit MSB Motorola m68k, 68020, version 1 (SYSV), statically linked
hnios2.cloudbot:       32-bit LSB Altera Nios II, version 1 (SYSV), dynamically linked
hriscv64.cloudbot:     64-bit LSB UCB RISC-V, version 1 (SYSV), dynamically linked
microblazebe.cloudbot: 32-bit MSB Xilinx MicroBlaze 32-bit RISC, version 1 (SYSV), statically linked
microblazeel.cloudbot: 32-bit LSB version 1 (SYSV), statically linked,
sh-sh4.cloudbot:       32-bit LSB Renesas SH, version 1 (SYSV), statically linked.
xtensa.cloudbot:       32-bit LSB Tensilica Xtensa, version 1 (SYSV), dynamically linked.
arcle-750d.cloudbot:   32-bit LSB ARC Cores Tangent-A5, version 1 (SYSV), statically linked.
arc.cloudbot:          32-bit LSB ARC Cores Tangent-A5, version 1 (SYSV), dynamically linked.</pre>
<br>
(The hashes are all recorded in the "Hashes" section of this post)
<p>
<h2>Binary Analysis</h2>
<p>
Since I was asked to look into the MIPS sample so I started with it. The binary analysis is showing a symbol striping result, but we can still get some executable section's information, compiler setting/trace that's showing how it should be run, and some information regarding of the size for the section/program headers, but it's all just too few isn't it? Still this analysis is good for getting information we need for supporting dynamic analysis (if needed) afterward. I personally love to solve malware stuff as statically as possible.

<p>I don't think I will get much information on the early stage (binary analysis) with this ELF binary, except what had already known, such as cross-compiling result, not packed, and headers and <b>entry0 </b>are in place, so I'm good for conducting the next analysis step.
<br>
<a href=https://lh3.googleusercontent.com/DM692yeh8Njgi7ejrD0q5oOtzMY7Fx54ouR4CDkdss7oB5ckPzvVVTxFTVorE6t0S8GER968haIF4sYFkpH2DmpWmM0NIIzyPxd8qjr9lvcXTGl9TVnjrfJ2Vpq2aswmKUiJFhGPxss=w994-h825-no><img src="https://lh3.googleusercontent.com/DM692yeh8Njgi7ejrD0q5oOtzMY7Fx54ouR4CDkdss7oB5ckPzvVVTxFTVorE6t0S8GER968haIF4sYFkpH2DmpWmM0NIIzyPxd8qjr9lvcXTGl9TVnjrfJ2Vpq2aswmKUiJFhGPxss=w580-h825-no"></a>

<p>For file attributes I extracted them using forensics tools included in Tsurugi Linux commands, which are also not showing special result too, except of what has been recorded from the infected box. So I was taking several checks further I run some several ELF pattern signatures I know, with running it against my collection of Yara rules and ClamAV signature to match it to previous threat database that I have, and this is only to make me understand why several false-positive results came up in other Anti Virus product's detection. The malware yet is having several interesting strings but they are still too generic to be processed to identify the threat without reading its assembly further.

<p>So my "practical binary analysis" result for this MIPS binary is going to be it, nothing much. 

<h2>Some methods on MIPS-32 static analysis to dissect this sample with radare2:)</h2>
<p>So this is the fun part, the binary analysis with radare2 ;). no cutter GUI, no fancy huds, just an <i>old-schooler way</i> with command line, visual mode and graph in a <b>r2shell</b>.
<p>I think there is really no such precise step by step "cookbook" on how to to use <b>radare2</b> during analyzing something, and basically <b>radare2 </b>is enriched in design coded by several coders for any kind of users to use it freely with many flavor and options or purpose in binary analysis, once you get into it you'll just get use to use it since radare2 will eventually adapting to your methods, and before you know it you are using it forever. 

<p>My line of work from day one is UNIX operating systems, I use radare2 since the name is "radare" compiled from FreeBSD ports in between years of 2006 to 2007, and I mostly use command line basis on every radare shell on my VT100x/VT200x terminal emulation variants I use afterwards, this is kind of building my reversing forms with radare2 until now. The command line base.

<p>But first, let's make sure you are setting"mips" and "32" in radare2 environment of assembly architecture (arc) and bits for this binary, then try to recognize the "main function", which is in "0x4016a0" at the pattern/location that's different than Intel basis assembly like shown in the picture below:<br>
<a href=https://lh3.googleusercontent.com/pNkh0t72o31A1-wkYGTO4vQWfNCX9FZNKKTt0SgxLThVC901XhJv88t28eV6KLitU4KNNzm92QHcRxZV_U30Xt1quUTBsVTzhvi6yXo5RHs-rS28vs6Bj-Gd0gQ38BR7ORIYJ4sgUdk=w1488-h840-no><img src="https://lh3.googleusercontent.com/pNkh0t72o31A1-wkYGTO4vQWfNCX9FZNKKTt0SgxLThVC901XhJv88t28eV6KLitU4KNNzm92QHcRxZV_U30Xt1quUTBsVTzhvi6yXo5RHs-rS28vs6Bj-Gd0gQ38BR7ORIYJ4sgUdk=w580-h840-no"></a>
<p>
<a name=syscallnaming>
Next, I may just run following commands to be sure that it can be reversed well.</a> It is a simple command for only showing how many Linux syscall is used, and this will work after the radare2 parse and analyze the binary to the analysis database.
<br>
<a href=https://lh3.googleusercontent.com/JLgDDeKWFxaFFyi63YtgQYUIOKsGTYVF_aMNul5WLcB0vWRREng4GOl5yW4wCzFcRf9s4DTTMzspa2O7RQ355fCm4VtB1UIPElAzefU5OZRExuyZczQTYUk8_RGTCj0c1NT7K5Vi59w=w1056-h766-no><img src="https://lh3.googleusercontent.com/JLgDDeKWFxaFFyi63YtgQYUIOKsGTYVF_aMNul5WLcB0vWRREng4GOl5yW4wCzFcRf9s4DTTMzspa2O7RQ355fCm4VtB1UIPElAzefU5OZRExuyZczQTYUk8_RGTCj0c1NT7K5Vi59w=w580-h766-no"></a>
<br>
PS: If you know what you're doing, an simpler/easier way for the MIPS 32bit to seek where the syscall codes placed is by grepping the assembly code with the hex value of  "0x0000000c" like below, the same result should come up:<br>
<a href=https://lh3.googleusercontent.com/7ZKEtke_Gul9Em8e5H890KtLqGx7ADBjX8GallIeorrKETL1S_Am6z9vnicoQ4xPkx1AuUqWphnZOk8DsV10naB7LNklaHs00fgBvlbEM7L8YN4SuXPAJsU3l_-2-2z7cCJUbkfCM8c=w599-h864-no><img src="https://lh3.googleusercontent.com/7ZKEtke_Gul9Em8e5H890KtLqGx7ADBjX8GallIeorrKETL1S_Am6z9vnicoQ4xPkx1AuUqWphnZOk8DsV10naB7LNklaHs00fgBvlbEM7L8YN4SuXPAJsU3l_-2-2z7cCJUbkfCM8c=w300-h864-no"></a>

<p>In my case on dealing with Linux or UNIX binaries, I have to know first what syscalls are used (that kernel uses for making basic operations), "syscall" is used to request a service from kernel. Any good or bad program are using those (if they need to run on that OS), so syscalls have to be there. For me, the syscalls is important and its amount will tell you how big the work load will be, ..then the rest is up to you and radare2 to extract them, the more of those syscalls, the merrier our RE life will be, without knowing these syscalls there's no way we can solve such stripped binary :)

<p>In a Linux MIPS architecture, where assembly and register (reduced registers due to small space) is different than PC's Intel ones (MISP is RISC, Intel is CISC, RISC is for a CPU that is designed based on simple orders to act fast, many networking devices are on RISC for this reason). Linux OS in some MIPS platform can be configured to run either in big or in little endian mode too, you have to be careful about the endianness in reversing MIPS, like this MIPS binary is using big endian, also binaries for <i>SGI machines</i>, but some machines like <i>Loongson 3</i> are just like Intel or PPC works in little endian, several Linux OS is differing their package for supporting each endianness with "mips" (big) or "mipsel" (little) in their MIPS port. Information on the target machines for each sample can help to recognize the endianness used.

<p>In MIPS the way "syscall" used is also have its own uniqueness. Basically, a designated service code for a syscall must be passed in <b>$v0</b> register, and arguments are passed in other registers. A simple way in assembly code  to recognize a syscall is as per below snipped code:
<pre class="brush: asm">
li $v0, 0x1
add $a0, $t0, $zero
syscall
</pre>
<br>
Explanation: The "0x1" is stored in the "$v0" register (it doesn't have to be assembly command "li" but any command in MIPS assembly in example "addliu", etc, can be used for the same effect), which means the service code used to print integer. The next line is to perform a copy value from the register "$t0" to "$a0" (register where argument is usually saved). 
<br>Finally (the third line) the syscall code is there, with these components altogether one "syscall" can be executed.
<p>
We can apply the above concept in the previously grep syscall result. The objective is to recognize the address of its <b>syscall wrapper</b> function for this stripped binary analysis purpose. For example, at the second result at "0x004019d0" there's a <b>syscall number</b>, and by radare2 you go to that location with seek (<b>s</b>) command and using visual mode we can figure the function name in no time. I will show you how.

<p>Let's fix the screen for it as per below so we can be at the same page:
<a href=https://lh3.googleusercontent.com/UWsISGvXqqJh4PmV_nqNZxl9kBnWLvEO54HsMaMUk2wVb7SvoBYoXYZzimzhJ6yfMkeQaDLJjH-a85E7GHuakXHojkwZvQYUktHJe-YeV_mpQH62v01fHJvoqr-hhFVgQtX-9PXqde0=w1313-h786-no><img src="https://lh3.googleusercontent.com/UWsISGvXqqJh4PmV_nqNZxl9kBnWLvEO54HsMaMUk2wVb7SvoBYoXYZzimzhJ6yfMkeQaDLJjH-a85E7GHuakXHojkwZvQYUktHJe-YeV_mpQH62v01fHJvoqr-hhFVgQtX-9PXqde0=w580-h786-no"></a>
<br>
I marked the line where it is assigning <b>"0xfa2"</b> value to <b>"$v0"</b>, and "0xfa2" is the number registered for <b>"fork"</b> syscall in Linux MIPS 32bit OS, that's also saying 0xfa2 is <b>syscall number</b> of <b>sys_fork</b> (system call for fork comnmand),  if you scroll up a bit you can see the function name "fcn.004019a0", which is the <b>"wrapper function"</b> for this <b>"syscall fork"</b> or <b>"sys_fork"</b>. The syscall command will accept the passed <b>syscall number</b> stored in "$v0" to be translated in the syscall table to pass it through the OS specific registered syscall name alongside with the arguments needed to perform the further desired syscall operation.

<p>Noted that the syscall number can always be confirmed in designated Linux OS in the file with the below formula, and more information on register assignment on MIPS architecture that explains syscalls calling conventions can be read in ==>[<a href="https://www.linux-mips.org/wiki/Syscall">link</a>].
<pre class="brush: asm">
/usr/include/{YOUR_ARCH}/asm/unistd_{YOUR_BIT}.h
</pre>

<p>The manual of syscall [<a href="http://man7.org/linux/man-pages/man2/intro.2.html">link</a>] is a good reference explaining syscall wrapper in libc. Quoted:
<br>
<pre class="brush: js">
"Usually, system calls are not invoked directly: 
instead, most system calls have corresponding C library wrapper 
functions which perform the steps required (e.g., trapping to kernel 
mode) in order to invoke the system call.  

Thus, making a system call looks the same as invoking a
normal library function.

In many cases, the C library wrapper function does nothing more than:

*  copying arguments and the unique system call number to the
   registers where the kernel expects them;

*  trapping to kernel mode, at which point the kernel does the real
   work of the system call;

*  setting errno if the system call returns an error number when the
   kernel returns the CPU to user mode.

However, in a few cases, a wrapper function may do rather more than
this, for example, performing some preprocessing of the arguments
before trapping to kernel mode, or postprocessing of values returned
by the system call.  Where this is the case, the manual pages in
Section 2 generally try to note the details of both the (usually GNU)
C library API interface and the raw system call.  Most commonly, the
main DESCRIPTION will focus on the C library interface, and
differences for the system call are covered in the NOTES section."
</pre>
<p> Using this method, in no time you'll get the full list of the syscall function's used by this malware as per following table that I made for myself during this analysis:<br>
<a href=https://lh3.googleusercontent.com/8pzLxcw3mFKNSm7swUDb4uoqlhiHG5SRyPefc_vXnavNmf_KzUPxM6MSMbaG0iKqjNJPM8fH85Xu9BRRNuMcZAgMJ50uECq1cJtwhHYXAzRE_R_mttQLLKv-lzfSDSYbPyAuwimqE9g=w703-h851-no><img src="https://lh3.googleusercontent.com/8pzLxcw3mFKNSm7swUDb4uoqlhiHG5SRyPefc_vXnavNmf_KzUPxM6MSMbaG0iKqjNJPM8fH85Xu9BRRNuMcZAgMJ50uECq1cJtwhHYXAzRE_R_mttQLLKv-lzfSDSYbPyAuwimqE9g=w400-h851-no"></a>
<br>
The rest is up to you on how to make it easy to name the strings for each "syscall" for your purpose, I go by the above strings naming since it is fit to my RE platform, I suggest you refer to Linux syscall base on naming them [<a href="http://man7.org/linux/man-pages/man2/syscalls.2.html">link</a>].

<p>The next step is, you may need to change all function name in radare2 according to this "syscall table". Using the visual mode and analyze function name (afn) command is the faster way to do it manually, or you can script that too, radare2 can be used with varied of methods, anything will do as long as we can get the job's done. In my case I like to use these radare2 shell macro based on table I made for myself:
<pre class="brush: bash">
    :
s 0x0402060; af; afn ____connect; pdf |head 
s 0x0401CF0; af; afn ____write; pdf |head 
s 0x04019B0; af; afn ____fork; pdf |head 
    :
</pre>
<br>
The result is as per seen in the below screenshot:
<br>
<a href=https://lh3.googleusercontent.com/vUCsIhRlcbRREA7zIAMONKNvWgVPbpXa25SyeYQMyPZO9gyomb71MNvGLgRtDMSyyIDQHUDPBVimE5V2bGFEi7mWMz5uRCr-Qbr832Di0nyzyfmj5I4Agjmh7T7EcQs7htSKjn3B0Ds=w1025-h729-no><img src="https://lh3.googleusercontent.com/vUCsIhRlcbRREA7zIAMONKNvWgVPbpXa25SyeYQMyPZO9gyomb71MNvGLgRtDMSyyIDQHUDPBVimE5V2bGFEi7mWMz5uRCr-Qbr832Di0nyzyfmj5I4Agjmh7T7EcQs7htSKjn3B0Ds=w580-h729-no"></a>
<p>
Up to this way, we'll have all of the syscalls back in place :) Don't worry, you'll do this faster if you get used to it.
<a href=https://lh3.googleusercontent.com/IYmCXB_V2Vlkig32xlOeakyt2qrFQybfEz859-s2SGdeR4AcL-5wxjH9cBpi0AaHJolz9Tdxtsu2lSRrelkGldwYRIq7CTVvZp1ysWwDGjxcvzUrIpxSE33U5MHVRQfOpLUwEQby5tw=w1106-h949-no><img src="https://lh3.googleusercontent.com/IYmCXB_V2Vlkig32xlOeakyt2qrFQybfEz859-s2SGdeR4AcL-5wxjH9cBpi0AaHJolz9Tdxtsu2lSRrelkGldwYRIq7CTVvZp1ysWwDGjxcvzUrIpxSE33U5MHVRQfOpLUwEQby5tw=w580-h949-no"></a>
<p>
The result looks cool enough for me to read the radare2 graph on examining how this MIPS binary further goes..
<a href=https://lh3.googleusercontent.com/UOcTIUCANA0k0L5XMtebHWVgP9IHsEf9nfjSXDyHWcrsM8bTKDK3bFJevBan-Muib5_dbvvt0NKrh4XWclZ74wkH_ad5LNDNx7kh44f1imOS9k9MVYPfLQcLX7OLuTEPBo01qoq7fuc=w1082-h957-no><img src="https://lh3.googleusercontent.com/UOcTIUCANA0k0L5XMtebHWVgP9IHsEf9nfjSXDyHWcrsM8bTKDK3bFJevBan-Muib5_dbvvt0NKrh4XWclZ74wkH_ad5LNDNx7kh44f1imOS9k9MVYPfLQcLX7OLuTEPBo01qoq7fuc=w580-h957-no"></a>
<p>
The next step is a generic way on reversing a stripped binary, by defining the functions that is not part of <b>Libc </b>but likely coded by malware coder. For this task, you have to check the rest of the function and seek whether the XREF doesn't go to any of syscall wrapper functions, make sure that function itself is not the main() function, init_proc() nor init_term() functions, and that goes to the below leftover list, just naming it to anything you think it is fit with to what it does. 

<p>In my case I named them this way:<br>
<a href=https://lh3.googleusercontent.com/r05PVYUL0HuujtiZStkvwRX7XnMm6y_7fGTgOFftCf9rhA6dhjfRjlkQq83uMMxbbuZYIRjWP1ruNiqamlgVYx4zvHAu7SGWiHLA1jZUT71_PZejKZfoBrFIcPvEPqCfG6TWNWKJfW0=w796-h338-no><img src="https://lh3.googleusercontent.com/r05PVYUL0HuujtiZStkvwRX7XnMm6y_7fGTgOFftCf9rhA6dhjfRjlkQq83uMMxbbuZYIRjWP1ruNiqamlgVYx4zvHAu7SGWiHLA1jZUT71_PZejKZfoBrFIcPvEPqCfG6TWNWKJfW0=w500-h338-no"> </a>
<br>
Then we can put the correct function name into the binary using the same macro I showed you previously, then we are pretty much completed in making this binary so readable... hold on, but read it from where? Where to start?
<p>
To pick a good place to start to start reversing, this command will help you to pick some juicy spots, all the extractable strings will be dumped and we can pick one interesting one to start, and go up to build the big picture.:)
<p>
Actually symbols are giving us much better options, but right now we don't have anything else that is readable enough to start..
<br>
<a href=https://lh3.googleusercontent.com/NkLmUQYR3h3rWhMvTQxdFdvcLM7icFVoHT27xvS_1IfQROjAUWJz0SrJv8PTsPyBYx_4Mouj6J4FCirSk4dt_dGwbnhMOy1PahpEUzccYyxRKYX2AaPBt04qs9T9u_9Ya-zf5IfFiZk=w1252-h852-no><img src="https://lh3.googleusercontent.com/NkLmUQYR3h3rWhMvTQxdFdvcLM7icFVoHT27xvS_1IfQROjAUWJz0SrJv8PTsPyBYx_4Mouj6J4FCirSk4dt_dGwbnhMOy1PahpEUzccYyxRKYX2AaPBt04qs9T9u_9Ya-zf5IfFiZk=w580-h852-no"></a>
<br>
You can start to trace this binary from these text address reference and then go up to the call in the main function that supports it. For example, by using the visual mode you can seek the XREF of each text to see how it is called from which function and you can trail them further after that. This isn't going to be difficult to read since you have all functions back in place. 
<p>
The picture below is showing how the "<b>air dropping</b>" is referred to the caller function.
<br>
<a href=https://lh3.googleusercontent.com/XJmMCMDGdF8DIsxqOr9Y5sNd8Ta1X9-kIabOCeDfYvHrpzo0xUtsbzZ_sXF8AnIZ4m5RhhFqglDRvPGtqLLs4YbVsHwqyx8m61YQFwBpXeMPazH5Qr0IQ3EJl5Y5FC_KHkg7G5KjmOE=w1693-h818-no><img src="https://lh3.googleusercontent.com/XJmMCMDGdF8DIsxqOr9Y5sNd8Ta1X9-kIabOCeDfYvHrpzo0xUtsbzZ_sXF8AnIZ4m5RhhFqglDRvPGtqLLs4YbVsHwqyx8m61YQFwBpXeMPazH5Qr0IQ3EJl5Y5FC_KHkg7G5KjmOE=w580-h818-no"></a>
<p>
That's it. These methods I shared are useful methodology in analyzing Linux MIPS-32 binary especially stripped ones like the one I have now. I think you're good enough to go to complete your own analysis by yourself too. Please just tried those methods if you don't have any other better ways and don't be afraid if other RE tools can't make you read the MIPS-32 binary well, just fire the <b>radare2 </b>with the tips written above, and everything should be okay :)
<p>We go on with the malware analysis of this binary and its threat then..

<h2>What does this MIPS-32 binary do?</h2>

<p>Practically. the MIPS binary is bot that is having a mission to infect the host it was dropped into (note: so it needs a dropping scheme to go to the infected host beforehand), making a malicious process called "<b>cloudprocess</b>", send message of "<b>airdopping clouds</b>" through the standard output (that can be piped later on). It is recording its "PID" and <b>fork </b>its process for the further step. The message of "airdropping clouds" is the reason why I called this malware as "AirDropBot" eventhough the coder prefer to use "Cloudbot", which there is also a legitimate good software that uses that name too as their brand.

<p>Upon successful forking it will extract the what the coder so-called "<b>encrypted array</b>", it's ala Mirai table crypted keywords in its concept, but it is different in implementation., I must guess that it could be originally coded to avoid XOR operation which is the worst Mirai bug in the history :) but this "<b>encrypt_array</b>" is just ending up to an encoded obfuscation function :) - Anyhow the value from this "decrypted" coded is used for further malware process. 

<p>Then the malware tries to connect to the C2 which its IP address is hard-coded in the binary, <i>on a success connection attempt to C2 server, it will parse the commands sent by the C2 to perform three weaponized functions on the binary to perform <b>TCP, and UDP DDoS attack</b> with either using the specific hex-coded payload, or the latter on is using a custom pattern so-called "<b>hex-attack</b>" that sends DoS packet in a hex escape strings format</i> to the targeted host.

<p>I will break it down to more details in its specific functions in the next sections.

<h2>The "encryption" (aka the obfuscation)</h2>

<p>The challenge was the "encryption" part, it was 
I used radare2 with ESIL to see the "encrypted" variables, as per snipped below as PoC:<br>
<a href=https://lh3.googleusercontent.com/zNuW4LhX-118zxLZ4vDuNQ4cLr6bFLGlsg55KcLt2-_epzPe8dY4CL0YzN4iwwqMZxuR5CuRS6ey9NULLBtyZyTa62rhXMKnO5eTFv-kBLx6bjIJKQnKGQeJFfizY19ElqU28nXOqCc=w1359-h652-no><imgsrc=https://lh3.googleusercontent.com/zNuW4LhX-118zxLZ4vDuNQ4cLr6bFLGlsg55KcLt2-_epzPe8dY4CL0YzN4iwwqMZxuR5CuRS6ey9NULLBtyZyTa62rhXMKnO5eTFv-kBLx6bjIJKQnKGQeJFfizY19ElqU28nXOqCc=w580-h652-no></a>

<p>The decryption is by [shift-1] as per shown in the cascade loop shown in every encoded strings. <br>
<a href=https://lh3.googleusercontent.com/acWcBjk_zCrSN8cWdv3R16_Q5rTFA6Bk6anwMIIgRm70UZmNocYFg7xjoPxulZH7q7tJD73Ke2Py4C8mrz6vWZuCc18Y3JUuI-bP1KG5PDR0_DKijlWcXXm4b-gRfF6Dx0B8JCZo6sw=w915-h957-no><img src="https://lh3.googleusercontent.com/acWcBjk_zCrSN8cWdv3R16_Q5rTFA6Bk6anwMIIgRm70UZmNocYFg7xjoPxulZH7q7tJD73Ke2Py4C8mrz6vWZuCc18Y3JUuI-bP1KG5PDR0_DKijlWcXXm4b-gRfF6Dx0B8JCZo6sw=w500-h957-no"></a>
<br>
If we want to translate this decryoter scheme, it may look something like this (below), I break it up in 3 functions but in assembly it is all in a function and cascaded to each strings to be decoded:<br>
<pre class="brush: cpp">
int encrypt_array()
{ 
  array_splitter("xxxx");
  array_splitter("yyyy");
   :
}
int array_splitter(char *src)
{
  strcpy(var_char_buffer, src);
  char_decrypter(var_char_buffer);
    array_counter++
  return;
}
int char_decrypter(char *src2)
{
  int i; strcpy(dstring, src2);
  for ( i = 0; strlen(dstring) > i; ++i )
   // {redacted shift -1 logic to dstring} //
  strcpy(j, dstring);
  return j++
}
</pre>

<p>The result for the "decryption" can be shown as per below, using ESIL with the fake stack can be used to emulate this with the same result, so you don't need to get into the debug mode:<br>
<a href=https://lh3.googleusercontent.com/noBKIHIM7EcFgLjZSxOhKz8LQEpp35Zz9koi_UKtJ5Bea4IKoEFZCUQ6n3xGdlm5mQ_i2VW3imbQw_05TDuGG5nGqQIXwtza0puf18xcG-eJ8eGdYWML3Fe7BciZIkQUfTPhAKAzA5k=w1334-h445-no><img src="https://lh3.googleusercontent.com/noBKIHIM7EcFgLjZSxOhKz8LQEpp35Zz9koi_UKtJ5Bea4IKoEFZCUQ6n3xGdlm5mQ_i2VW3imbQw_05TDuGG5nGqQIXwtza0puf18xcG-eJ8eGdYWML3Fe7BciZIkQUfTPhAKAzA5k=w580-h445-no"></a>
<br>
The last four strings:
<pre class="brush: js">
/proc/
/maps
/cmdline 
/status 
/exe
</pre>
...are used for taking information (process name) from the infected Linux box, that will be used for the malware other functions like "killing" processes, etc. The other decrypted strings are used for infecting purpose (known credentials for telnet operation), and also for other botnet operation related. 

<p>Understanding the "decrypter" logic used is important because the same decrypter is used again to decode the C2 sent commands to the active bots before parsed and executed.

<h2>The C2, its commands and bot offensive activity</h2>

<p>What happened after decryption (encrypt_array) of these strings is, the binary gets into the loop to call the "connecting" function per 5 seconds. If I try to write C code based on this stage it's going to be like below snipcode:<br> 
<a href=https://lh3.googleusercontent.com/7ixBFIfJIpl10-tFjuwNZnxM5uST7ui18PCXWrhJkyWsDwDmC3zqsi2U3Oh7KSaA5HXr_O80UuCTK3OEdcIhFG5aVCL42APA1QnMRRNjadXuZ9yVI2_hDmfQ-K73Il7IWZkFdR49EGc=w1206-h448-no><img src="https://lh3.googleusercontent.com/7ixBFIfJIpl10-tFjuwNZnxM5uST7ui18PCXWrhJkyWsDwDmC3zqsi2U3Oh7KSaA5HXr_O80UuCTK3OEdcIhFG5aVCL42APA1QnMRRNjadXuZ9yVI2_hDmfQ-K73Il7IWZkFdR49EGc=w300-h448-no"></a>

<p>Within each loop, when it calls "connecting" function it will try to connect the C2 which is defined a struct sockaddr "addr", pointing to port number (htons) 455 (0x1c7) and IP: "179.43.149[.]189".
<br>
<a href=https://lh3.googleusercontent.com/g-kZIP8BUCU-QDQHpCbOquFlEzAWK4PvlkUj3SKcJtFO1lvfN6FVKsYBrtUhaXAW2jcqlUdO8X9BYAnlqGTBoFVYObdCuNaufaA1DBe1GobXyH81bEYwnG4vkJakv5mAOJ5zEzzQGyc=w1529-h566-no><img src="https://lh3.googleusercontent.com/g-kZIP8BUCU-QDQHpCbOquFlEzAWK4PvlkUj3SKcJtFO1lvfN6FVKsYBrtUhaXAW2jcqlUdO8X9BYAnlqGTBoFVYObdCuNaufaA1DBe1GobXyH81bEYwnG4vkJakv5mAOJ5zEzzQGyc=w580-h566-no"></a>

<p>When connected to C2, it will listen and receive the data sent by C2, to perform decryption and then to send its decryption result (as per previous logic) to the "<b>command parsing</b>" function, that's having "<b>cmd_parse</b>" sub-function inside. The  "<b>command parsing</b>" is delimiting received command with the white space " " for the "<b>cmd_parse</b>" to grep three possible keywords of <b>"udp"</b>, <b>"tcp"</b>, and <b>"hex"</b>, which in next paragraph those keywords will be explained further.
<p>
Below is the loop when the command from C2 is received (listened) inside the "connecting" function in radare2:
<br>
<a href=https://lh3.googleusercontent.com/hM9wjDRiIr8nfh6Xzie_z0V70SSVksMC11zF7Lq9naP8cxw9aMzf4RIGP5NKZxovmvx_wFNCwg_AFFHF9kYX2D1XAewZb3br55KJu3T37T6JilkmR7LvGAfEjiujwqdrPd4Pq2YXMHg=w1682-h809-no><img src="https://lh3.googleusercontent.com/hM9wjDRiIr8nfh6Xzie_z0V70SSVksMC11zF7Lq9naP8cxw9aMzf4RIGP5NKZxovmvx_wFNCwg_AFFHF9kYX2D1XAewZb3br55KJu3T37T6JilkmR7LvGAfEjiujwqdrPd4Pq2YXMHg=w580-h809-no"></a>

<p>Now we come into the offensive capability of this bot binary. The "udp" keyword will trigger the execution of "<b>udpattack</b>" function, "tcp" will execute "<b>tcpattack</b>" and so does the "hex" for executing the "<b>hexattack</b>" function. Each of the trigger keywords are followed by arguments that are passed to its related attack function, it emphasizes that a textual basis DoS attack command line starting with <i>udp, tcp or hex</i>, following by the <i>targets </i>or <i>optional attack parameters</i> are pushed from the C2 to the AirDropBots. Based on experience, the C2 CLI interface of recent DDoS botnets is having such interface matched to this criteria.

<p>TCP and UDP is having the same payload packet in binary is as per below:
<br>
<a href=https://lh3.googleusercontent.com/Lk2Hc_RJ1gx6DoJD3ZNE9b0RCWJKThGTbByQtk5NlnYLcZTMF_QIkvb7YUO57SGPQvPDJACxY4JTTfg2OEOKW7EZBrxjtfp04ChDomXYUEx-2ZVbrKmFPkinRUUKJxX_3xH18t-3qAE=w1175-h896-no><img src="https://lh3.googleusercontent.com/Lk2Hc_RJ1gx6DoJD3ZNE9b0RCWJKThGTbByQtk5NlnYLcZTMF_QIkvb7YUO57SGPQvPDJACxY4JTTfg2OEOKW7EZBrxjtfp04ChDomXYUEx-2ZVbrKmFPkinRUUKJxX_3xH18t-3qAE=w580-h896-no"></a>
<br>
...that is sent from <b>tcpattack</b>() and <b>udpattack</b>() in TCP and UDP different socket connection from the target sent by C2.

<p>The <b>hexattack </b>is having a different payload that looks like this:
<br>
<a href=https://lh3.googleusercontent.com/spFNmVuSFxLv2ZJxkX1d1eaa8ghPhizY1M3TI4MgAZOZfg12nnCvy3qd7zBeIdwMMnEn2mEin_X3B6GDB0cfBM9sHjtBjvSz-eVk9tvGFPtVSuvm3NMUpoMW7XLBaJrc-5KeGFTeQuM=w1329-h326-no><img src="https://lh3.googleusercontent.com/spFNmVuSFxLv2ZJxkX1d1eaa8ghPhizY1M3TI4MgAZOZfg12nnCvy3qd7zBeIdwMMnEn2mEin_X3B6GDB0cfBM9sHjtBjvSz-eVk9tvGFPtVSuvm3NMUpoMW7XLBaJrc-5KeGFTeQuM=w580-h326-no"></a>

<p>One last command is is "<b>killyourself</b>" (taken from decrypted table that was saved in a var) that will stop the scanning function fork with the flow more or less like this:<br>
<pre class="brush: cpp">
result = strstr(var_parsed_cmd, "killyourself");
  if ( result )
   { kill(scanner_fork_PID, 9);
     exit(0);
   }
return result;
</pre>
<br>
..and the kill function above is executing <i>"kill -9"</i> by calling  <i>int kill(__pid_t pid, int sig)</i>.

<p>As additional, in the older version, there is also another C2 command called: "<b>http</b>" that will execute "<b>httpattack</b>" function that is using HTTP to perform <b>L7 DoS attack</b> using the combination of User-Agents, but in this sample series  I don't see such function.

<h2>Is there any difference between MIPS and other binaries?</h2>

<p>Oh yes it has. The Intel and ARM version (or to binary that is having a scanner function) is interestingly having more functions. If I go to details on each functions for Intel binary maybe I will not stop writing this post, so I will summary them below with a pseudo code snips if necessary.
<p>
<b>1. The "<i>array_kill_list</i>" function</b>

<p>This function is used to kill process that matched to these strings:
<br>
<a href=https://lh3.googleusercontent.com/HVi8itsXjqMMip7pxra9El0AgDtI7cBiqbFIt80GR3fm94LDrkPqntm4huOi4NKKBntBqZO_Ggxl5HV-V-vk-VkRwI9stSk2I5ZADHqjX52ZalJe6-kbtQ4SmNrBlUiMT_v_WvXy3aQ=w1333-h917-no><img src="https://lh3.googleusercontent.com/HVi8itsXjqMMip7pxra9El0AgDtI7cBiqbFIt80GR3fm94LDrkPqntm4huOi4NKKBntBqZO_Ggxl5HV-V-vk-VkRwI9stSk2I5ZADHqjX52ZalJe6-kbtQ4SmNrBlUiMT_v_WvXy3aQ=w580-h917-no"></a>
<br>It seems this is how the bot herder gets rid of the competitor if they're in the same infected Linux box.
<br>This "<b>array_kill_list</b>" is accessed from killer() function that is being executed before going to "connecting" loop in the main for Intel version.

<p>The killer function is having multiple capability to stop unwanted processes too, it will be too long to describe it one by one but in simple C code and comments as per picture below will be enough to get the idea:
<br>
<a href=https://lh3.googleusercontent.com/V0njSMnfXKTOeSHIHYZ8ugh5mPlO06j5L22DJJPKoW7fXIMEXt1n5zyX1au7-CWQm57lP-2orTQ42EpMfp9OTQN9-57alujKLYU5ZV5Mqr3KXAMyAoQxBs6nXhEiJm5fIEHlRvk-iJI=w1164-h260-no><img src="https://lh3.googleusercontent.com/V0njSMnfXKTOeSHIHYZ8ugh5mPlO06j5L22DJJPKoW7fXIMEXt1n5zyX1au7-CWQm57lP-2orTQ42EpMfp9OTQN9-57alujKLYU5ZV5Mqr3KXAMyAoQxBs6nXhEiJm5fIEHlRvk-iJI=w580-h260-no"></a>

<p><b>2. The scanner, the spreader via exploit</b>

<p>The bot herder is aiming <b>Lynksys tmUnblock.cgi</b> of a known router's brand, the vulnerability that has to be patched since published 5 years ago. For this purpose, in intel and ARM binaries right after <b>killer()</b> function it runs <b>scanner()</b> function, targeting <b>randomized formed IP addresses</b>, using <b>a hard-coded "payload"</b> data, spoofed its origin by faking the HTTP request headers (for "tcp" or "http" flood), which is aiming <b>TCP port 8080</b> with the code translated from assembly to simplified C code looks like below:
<br>
<a href=https://lh3.googleusercontent.com/jTBJGvnSM7n9_bEUHmtphthEU3AlHGVptVEhtqBaBr_Wh72-EeDBLo2KxZnuqIr9R23_b4Pv11xs_5TdcWIapFgkYWLAmRB916509Zgm6dMQtioHWplwULRxViJ5Qg8wPbfGekwabjI=w1272-h733-no><img src="https://lh3.googleusercontent.com/jTBJGvnSM7n9_bEUHmtphthEU3AlHGVptVEhtqBaBr_Wh72-EeDBLo2KxZnuqIr9R23_b4Pv11xs_5TdcWIapFgkYWLAmRB916509Zgm6dMQtioHWplwULRxViJ5Qg8wPbfGekwabjI=w580-h733-no"></a>

<p>This scanner is having four pattern of payloads which I quickly paste it below for your reference if you are either receiving or researching this attack:
<br>
<a href=https://lh3.googleusercontent.com/hB2-mqV_8uY9GVoUR_m8t6YCY5-8rOl6MLlnKUm_Pk3NQravN6vA97XoIT11L9qiCU-7CZRHy3Nr1LZAWI0QiLAGZQK-du-3uMJwqZlr3bX61H-koBTwLzM6U3P0GSPy88tClXf-pkI=w1446-h621-no><img src="https://lh3.googleusercontent.com/hB2-mqV_8uY9GVoUR_m8t6YCY5-8rOl6MLlnKUm_Pk3NQravN6vA97XoIT11L9qiCU-7CZRHy3Nr1LZAWI0QiLAGZQK-du-3uMJwqZlr3bX61H-koBTwLzM6U3P0GSPy88tClXf-pkI=w580-h621-no"></a>
<br>
<a href=https://lh3.googleusercontent.com/okD2EfeRc0W-IzchoGWt59r-L6cHUlHaFE9dtvlT90Zc2LlHsBqGwvV5riwmc9uZTDZLNWV4lybBmEhPz2033eaQ4zT_AvAqdruRE8nDSNKY85bgJjVbwPVoytvMKMW9yUiKb0-FhxA=w1521-h781-no><img src="https://lh3.googleusercontent.com/okD2EfeRc0W-IzchoGWt59r-L6cHUlHaFE9dtvlT90Zc2LlHsBqGwvV5riwmc9uZTDZLNWV4lybBmEhPz2033eaQ4zT_AvAqdruRE8nDSNKY85bgJjVbwPVoytvMKMW9yUiKb0-FhxA=w580-h781-no"></a>
<p>Maybe one of the thing that I may suggest for this bot's scanner functionality is what it seems like a spoof capability. I examined into low level for code generation of about this part and found what the send syscall performed when AirDrop bot make scanning with exploit is interesting :) please take a look yourself of what has been recorded as per below snipcodes:<br>
<a href=https://lh3.googleusercontent.com/IfTEhUs7ZOe4_fg800SbN3Z3cMSmZxr0UpR2Z_5hZWT4lPmGh7eWvg7uT5bsT5EdhDIP2XQul9a7dxgNVm-vf06uon_SI2jIY-f6Y8US3fIo3AsHfHe6ZCucdEXetFMPVCOrhRoLvi4=w1500-h449-no><img src="https://lh3.googleusercontent.com/IfTEhUs7ZOe4_fg800SbN3Z3cMSmZxr0UpR2Z_5hZWT4lPmGh7eWvg7uT5bsT5EdhDIP2XQul9a7dxgNVm-vf06uon_SI2jIY-f6Y8US3fIo3AsHfHe6ZCucdEXetFMPVCOrhRoLvi4=w580-h449-no"></a>

<p>On those "scanner" function supported binary, the spreading scheme is executed with targeting random generated IP addresses by calling sub-function "<b>get_random_ip</b>" right after the the C2 has been attempted to call, and is using the same socket for multiple effort to infect Linksys CGI  vulnerability. Below is the record in re-production this activity:
<br>
<a href=https://lh3.googleusercontent.com/ApPUPuGS1eDAvqpmVrEz4YRcgNxYfE18L1fP81B3a6zOeBLjD-0yXF4dwlyYzqrOSZndxO2GqHvwt0V9t5jYlAMkpQtrPGmc8cLSXDaUFMTuHHY9rEmq7gz0r1kFuqEmMcoLt0JZ9zI=w963-h766-no><img src="https://lh3.googleusercontent.com/ApPUPuGS1eDAvqpmVrEz4YRcgNxYfE18L1fP81B3a6zOeBLjD-0yXF4dwlyYzqrOSZndxO2GqHvwt0V9t5jYlAMkpQtrPGmc8cLSXDaUFMTuHHY9rEmq7gz0r1kFuqEmMcoLt0JZ9zI=w580-h766-no"></a>

<p><b>3. The "<i>singleInstance</i>" function</b>

<p>This is a code to make sure that there is no duplication of "<b>cloudprocess</b>" process that runs after a device getting infected. It's a simple code to kill -KILL the PID of detected double instance. You can easily reverse and examine it by yourself.
<p>
Below is the example ARM-32 assembly code for this function with my comments in it just in case:<br>
<a href=https://lh3.googleusercontent.com/-lMy_XTyRgqwC72_aNnEp_fZ8D4n4CfGiQs7iuCxXc7pfKoi0ftfGwazL8aLdxLFFZuwBAFga2LkH_FtjdAYtCvfe2mg8bQsfdNd1oaMF8vojlPkMMwTQKQe1LPoEG95zLW9aJppu5s=w1692-h686-no><img src="https://lh3.googleusercontent.com/-lMy_XTyRgqwC72_aNnEp_fZ8D4n4CfGiQs7iuCxXc7pfKoi0ftfGwazL8aLdxLFFZuwBAFga2LkH_FtjdAYtCvfe2mg8bQsfdNd1oaMF8vojlPkMMwTQKQe1LPoEG95zLW9aJppu5s=w580-h686-no"></a>
<br>
for the right side of code, if I write that in C it's going to be something like this, more or less:
<br>
<a href=https://lh3.googleusercontent.com/d0MWT2JgMm6eqLIr9CA_X4IfzQgmVb-eVVRIk1Drsds5nXdhjXOMw0alS3pNMlXw3dkXh5A4dzssx9KfvSqCX5S37NKzUQOCWEzKNIQE93LHy4RunnOijvqywmxVfg6sgQZQGFnY8qo=w630-h454-no><img src="https://lh3.googleusercontent.com/d0MWT2JgMm6eqLIr9CA_X4IfzQgmVb-eVVRIk1Drsds5nXdhjXOMw0alS3pNMlXw3dkXh5A4dzssx9KfvSqCX5S37NKzUQOCWEzKNIQE93LHy4RunnOijvqywmxVfg6sgQZQGFnY8qo=w300-h454-no"></a>

<h2>BONUS: AirDropBot and the custom ELF packer case</h2>

<p>As per other ELF badness produced by botnet adversaries in the internet, the AirDropBot is having binary that is packed with custom packer too.
<p>
The below file [<a href=https://www.virustotal.com/gui/file/187492dca212f30e70cc7226a28f3704abd7fe37f1d4c33a70884539c670c05f/detection>link</a>] is one good real example of AirDropBot ELF in packed mode, the VirusTotal detection is like below:<br>
<a href=https://lh3.googleusercontent.com/9v1IjEJq6zWlGRk7FkDt2dTGSijTFlocRoR9clPkR0tLByVfyVn1fQIjM9YOYC2uGSd0MIU1Pm9RMTBDLZNS_mylxX_1We5WXhwht86f3JoXmNRiUoAy9KwDKoKFTZXzU5v-a8E7cGk=w835-h607-no><img src="https://lh3.googleusercontent.com/9v1IjEJq6zWlGRk7FkDt2dTGSijTFlocRoR9clPkR0tLByVfyVn1fQIjM9YOYC2uGSd0MIU1Pm9RMTBDLZNS_mylxX_1We5WXhwht86f3JoXmNRiUoAy9KwDKoKFTZXzU5v-a8E7cGk=w400-h607-no"></a>

<p>This sample is spotted in the wild a while ago on trying to infect one of my honeytraps. The "<b>file</b>" result looks like this:<br>
<pre class="brush: js">
x86.cloudbot: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
</pre>
<br>
The binary is packed and by reading the assembly flow in the packer codes we can tell it is a UPX-like packer. It looks like this:
<br>
<a href=https://lh3.googleusercontent.com/wqIROGSa9mA44GCix1fLk-GzqUoVGTvhz6BKTKSXDBAQrdainlA5Ht47A3KArXZXX5ygasdS6iMupM-OIaTquayRjuxOdnin-NnyksqoXligzatFasqn2l-bQaQPkgESwtMle-0Sk5U=w1805-h940-no><img src="https://lh3.googleusercontent.com/wqIROGSa9mA44GCix1fLk-GzqUoVGTvhz6BKTKSXDBAQrdainlA5Ht47A3KArXZXX5ygasdS6iMupM-OIaTquayRjuxOdnin-NnyksqoXligzatFasqn2l-bQaQPkgESwtMle-0Sk5U=w580-h940-no"></a>

<p>If you follow my presentation in <b>R2CON2018 </b>in the last part (the main course) about unpacking with radare2 for an unknown packer, the same method can be applied for you to get the <b>OEP</b> by implementing several "<b>bp</b>" on the unpacker processes. There are slides and video for that, use this link for some more information: [<a href=https://www.reddit.com/r/LinuxMalware/comments/9eqn6m/about_my_presentation_of_unpacking_the/>link</a>]
<br>That is exactly the method I applied to unpack this ELF.

<p>Then next, after you <b>bp</b> to part where packed code copied to the base memory defined in the LOAD0 section, I will share "my way to" easily extract the unpacked ELF afterward:<be>
<a href=https://lh3.googleusercontent.com/uhrS7W3YM-9tJQUjG2cdJQPCNyxulcap_6pG3v5ielWmW8Q4Tau5HaLH6Id56YmGdumDAqToAdSVaDrbWEVvJIRkx3WXJACEklJGJm-3ABRJgRUXPs5UtKQOLpbggxozv97Ai9pmDR0=w1199-h957-no><img src="https://lh3.googleusercontent.com/uhrS7W3YM-9tJQUjG2cdJQPCNyxulcap_6pG3v5ielWmW8Q4Tau5HaLH6Id56YmGdumDAqToAdSVaDrbWEVvJIRkx3WXJACEklJGJm-3ABRJgRUXPs5UtKQOLpbggxozv97Ai9pmDR0=w580-h957-no"></a>

<p>ELF file headers is having enough information to be rebuilt, let's use it, assuming the header table is the last part of the ELF the below formula is more or less describing the size of the unpacked object:
<pre class="brush: cpp">
// formula:

e_shoff + ( e_shentsize * e_shnum ) = +/- file_size

// math way:

0x00013af8 + ( 0x0028 * 0x0013 ) = file_size

// radare2 way:

? (0x0028 * 0x0013) + 0x00013af8|grep hex
</pre>

<p>And.. there you go, this is my unpacked file: [<a href=https://www.virustotal.com/gui/file/e42964a8d5aa0d82bf2eda129d422baa4201600c92a89af0f3fdbd67cfed40e0/detection>link</a>]
<p>
Next, let's see the detection ratio of this packed binary in Virus Total after successfully unpacked (..well, at least it is two points higher than the packed one) :
<br>
<a href=https://lh3.googleusercontent.com/-_EylHP07T_O-6HFKW7rmzCU_ar3tW0ceJoepMsfYeEhW5lZTyKsk-7GoAVtTn0CTFU5SOSL7UH2XObd-HhXCVXJCR0W-s6VdCvtqED67X-ALhEEl69b-I9Bl87JGIY_ltE-Fhn2GJg=w829-h607-no><img src="https://lh3.googleusercontent.com/-_EylHP07T_O-6HFKW7rmzCU_ar3tW0ceJoepMsfYeEhW5lZTyKsk-7GoAVtTn0CTFU5SOSL7UH2XObd-HhXCVXJCR0W-s6VdCvtqED67X-ALhEEl69b-I9Bl87JGIY_ltE-Fhn2GJg=w400-h607-no"></a>
<br>
And the binary after unpacked is very much readable now..and BOOM! the C2 of this packed ELF is in <b>185.244.25[.]200</b>, <b>185.244.25[.]201</b>, and <b>185.244.25[.]202</b> are revealed! :)) Now we know why the adversary wanted to pack their binary that bad.
<br>
<a href=https://lh3.googleusercontent.com/7yhl8IWlsrhepienGpDNseP80SEB3ig4j-7m68Ux-yz31tVHMWh10PrK5QRcsvnERtbTsmkIxLMU12D0h2pMOrzOaEU30YM6PulX4sVH2-XUSbptAJTt2kNkL7HyifhNirrWWwT7Fkk=w954-h595-no><img src="https://lh3.googleusercontent.com/7yhl8IWlsrhepienGpDNseP80SEB3ig4j-7m68Ux-yz31tVHMWh10PrK5QRcsvnERtbTsmkIxLMU12D0h2pMOrzOaEU30YM6PulX4sVH2-XUSbptAJTt2kNkL7HyifhNirrWWwT7Fkk=w580-h595-no"></a>
<p>
For the addition, nowadays IoT botnet adversaries are not only packing the Intel binaries, but the embedded platform's (some are RISC cpu too) Linux binary are often seen packed also with the custom packers. Like in this similar threat report I made [<a href="https://imgur.com/a/Ak9zICq">link</a>], with the ELF binary for MIPS cpu (noted: big endian one), sample that was actually spotted inside of the house of a victim (in his MIPS IoT daily used device, I won't disclose it further). I analyzed and unpacked it, to find that is not only "UPX!" bytes tampering that has been replaced.
<p>
Let me quote it in here too about my suggested unpacking methods for embedded Linux binaries I wrote in the linked post, as follows:<p>
<pre class="brush: js">
"There are other radare2 ways also for unpacking and extracting 
unpacked sample manually too.

The "dmda" is also useful to dump but it's maybe a bit hard effort to 
run it on embedded system, or, you can fix the load0 and load1 that can 
also be done after you grab "OEP", or, you can also break it in the exact
rewriting process to the base address, but either ways, should be able 
to unpack it. 

First ones will consume workspace in the memory for performing it.. I 
don't think RISC systems has much luxury in space for that purpose, 
but the latter one in some circumstance can be performed in ESIL mode."
</pre>
<p>
The thing is you should master all of those methods, and only by that most of binary packing possibility in Linux can be solved manually without depending on UPX or any automation tools.
<p>
<b>"So don't worry, just fire your radare2, and everything will be just Okay!"</b> :D (my favorite motto)
<p>

<h2>In a short summary as the conclusion</h2>

<p>This binaries are a DoS bot clients, a part of a DDoS botnet. It spread as a worm with currently aiming Lynksys tmUnblock.cgi routers derived by non MIPS built binaries that infects machines to act as payload spreader too. I must warn you that I did not check the details in every 26 binaries came up during this investigation, but I think the general aspect is covered.

<p>These are malware for Linux platform, it has backdoor, bot functions and are having infection capability with aiming vulnerability in routers CGI or telnet. The malware is coded with many originality intact, again, it is a newly coded, it is not using codes from  Mirai-like, GafGyt (Qbot/Torlus base), or Kaiten (or STD like), but I can tell that the development is not mature yet. I was about to name it as "Cloudbot" but it looks like there is a legitimate software already using it so I switched to the "Airdropbot" instead due to the hardcoded message printed on a success infection. This is a new strain of various library of IoT botnet, I hope that other security entities and law enforcer aware of what has just been occurred here, before it is making bigger damage like Mirai botnet did before.

<h2>Detection methods</h2>

<h2>Binary detection</h2>

<p>For the binary signature method of detection. The unpacked version will hit just fine. But since the AirDropBot was developed to support many embed platform from various CPU and "endianness" type, to detect it precisely you may need to code several signatures. However, if you see the typical functions of their binary carefully, so it is yes, one generic rule can be generated and applied. For that I PoC'ed it myself to develop a bit complex Yara rules to detect them all and to recognize which binary that is having the scanner and not.

<p>The snippet code and scan example is as per screenshot below.
<br>
<a href=https://lh3.googleusercontent.com/s5lx6Kkvbrk65QV33QipOyahPxKd3OTfDwUfjRDCSYBvFI2Q4-PNe3hscAYt4oJ5nzRWU0g9N4ZEvtvgBxiuZU43F4q2Ew6e4qcZc9kYBuUztZg7F9BF2CftPzf4E7PWfFmgRatc1Ow=w1478-h853-no><img src="https://lh3.googleusercontent.com/s5lx6Kkvbrk65QV33QipOyahPxKd3OTfDwUfjRDCSYBvFI2Q4-PNe3hscAYt4oJ5nzRWU0g9N4ZEvtvgBxiuZU43F4q2Ew6e4qcZc9kYBuUztZg7F9BF2CftPzf4E7PWfFmgRatc1Ow=w580-h853-no"></a>

<h2>Traffic detection</h2>

<p>For the traffic detection, there are two methods that you can apply as detection: <i><b>(1) The Initial Connection</b></i> and activities of AirDropBot does right after the success infection, or <i><b>(2) the DoS traffic</b></i>, I am explaining both as follows.

<p>The Initial connection detection is related to the nature of this malware, which is connecting to C2 and performing scanning for vulnerabilities aiming random IP in 8080. I can suggest a nice Suricata or Snort rule can be coded for connection that's aiming TCP/455 (C2 connection port), but the C2 port can be changed by the adversaries too on their next campaign, but that's not going to be easy for them to prepare all of those varied binaries and C2 port changes immediately (smile). The other way is to focus on the scanner payloads as per described in some of pictures above, the Surucata rules to detect them will last longer IF the same vulnerability is still being aimed.

<p><a href=https://lh3.googleusercontent.com/roaBiLZkqwv5s8d7vWQ7677_meMN8O018aZOqoJHFwBbRk4KoBu_SO3XAhrQkPCcb-Txcu2HKObZI6vK99wpIkopbN5wwM5QyKI-YIQ5G5jKAT_FUBcI3rSjvVl6MK5w-glQXDIEDbc=w1690-h873-no><img src="https://lh3.googleusercontent.com/roaBiLZkqwv5s8d7vWQ7677_meMN8O018aZOqoJHFwBbRk4KoBu_SO3XAhrQkPCcb-Txcu2HKObZI6vK99wpIkopbN5wwM5QyKI-YIQ5G5jKAT_FUBcI3rSjvVl6MK5w-glQXDIEDbc=w580-h873-no"></a>

<p>The other detection is by using the AirDropBot's hardcoded flood packets, which I was in purpose whoring them in the attached pictures above too. This way you may be able to recognize the DoS traffic activity performed by this threat in the future DDoS incidents. Sucicata and Snort rules are supported for this purpose.

<p>The bad actors and his gang are still at large and reading this blog post too :) , I am sorry I can not share the generic scanning code I made in here, but the screenshots I provided are enough for fellow reversers to recognize and implement these detection methods to filter these series of AirdropBot activities. The rest is OpSec.

<h2>Hashes and IOC information</h2>

<p>The hashes are listed as per below and IOC has been posted to MISP and OTX for all blue-teamer community to be noticed.
<br>
<pre class="brush: js">
../bins/aarch64be.cloudbot    | 417151777eaaccfc62f778d33fd183ff
../bins/arc.cloudbot          | d31f047c125deb4c2f879d88b083b9d5
../bins/arcle-750d.cloudbot   | ff1eb225f31e5c29dde47c147f40627e
../bins/arcle-hs38.cloudbot   | f3aed39202b51afdd1354adc8362d6bf
../bins/arm.cloudbot          | 083a5f463cb84f7ae8868cb2eb6a22eb
../bins/arm5.cloudbot         | 9ce4decd27c303a44ab2e187625934f3
../bins/arm6.cloudbot         | b6c6c1b2e89de81db8633144f4cb4b7d
../bins/arm7.cloudbot         | abd5008522f69cca92f8eefeb5f160e2
../bins/fritzbox.cloudbot     | a84bbf660ace4f0159f3d13e058235e9
../bins/haarch64.cloudbot     | 5fec65455bd8c842d672171d475460b6
../bins/hnios2.cloudbot       | 4d3cab2d0c51081e509ad25fbd7ff596
../bins/hopenrisc.cloudbot    | 252e2dfdf04290e7e9fc3c4d61bb3529
../bins/hriscv64.cloudbot     | 5dcdace449052a596bce05328bd23a3b
../bins/linksys.cloudbot      | 9c66fbe776a97a8613bfa983c7dca149
../bins/m68k-68xxx.cloudbot   | 59af44a74873ac034bd24ca1c3275af5
../bins/microblazebe.cloudbot | 9642b8aff1fda24baa6abe0aa8c8b173
../bins/microblazeel.cloudbot | e56cec6001f2f6efc0ad7c2fb840aceb
../bins/mips.cloudbot         | 54d93673f9539f1914008cfe8fd2bbdd
../bins/mips2.cloudbot        | a84bbf660ace4f0159f3d13e058235e9
../bins/mpsl.cloudbot         | 9c66fbe776a97a8613bfa983c7dca149
../bins/ppc.cloudbot          | 6d202084d4f25a0aa2225589dab536e7
../bins/sh-sh4.cloudbot       | cfbf1bd882ae7b87d4b04122d2ab42cb
../bins/sh4.cloudbot          | b02af5bd329e19d7e4e2006c9c172713
../bins/x86.cloudbot          | 85a8aad8d938c44c3f3f51089a60ec16
../bins/x86_64.cloudbot       | 2c0afe7b13cdd642336ccc7b3e952d8d
../bins/xtensa.cloudbot       | 94b8337a2d217286775bcc36d9c862d2
</pre>

<h2>Salutation & Epilogue</h2>

<p>I would like to thank to @0xrb for his persistence trying to convince me that this binary is interesting. It is interesting indeed, and as promised, this is the analysis I did after work, writing this in 8hours more non-stop. Thank's also for other readers who keep on supporting MMD, and as team, we appreciate your patience in waiting for our new post.

<p>Thank you <b>pancake </b>and <b>Radare2 teams</b> who keep on making <b>radare2 </b>the best RE tools for UNIX (All of the <b>radare2</b> reversing was done in <b>FreeBSD OS, thank you for your great support to FreeBSD!</b>), and also I thank <b>Tsurugi DFIR team</b> for your great forensics tools. For these open source security frameworks I still keep on helping with tests and bug reports. 

<p>Okay, I will rest and will wordsmith some <i>miserable jargon parts</i> of the post later, maybe I will add detail that I didn't have much time to write it now, or, to correct some minor stuff. In the mean time, enjoy the writing, please share with mention or using #MalwareMustDie hashtag. This post is a start for more posts to come.

<p>A tribute to the newborn <b>radare2 </b>community in Japan <b>"r2jp"</b>, that we established in 2013 together with "pancake" on <b>AVTokyo</b> workshop in Tokyo, Japan.
<p>
<img src="https://lh3.googleusercontent.com/OnkyNMQ5uWBuO37JyrH10yq8BBp9-_efVp8ePrs99hpGalksbuHKjgW_jgImemTBUX0JHfe-cTRkAy7DTvBt8FEzMT24c34kUZOAbXcw5asktpvKeuV9QZxdnS6o9fe_Hk1y42kM-TQ=w300-h423-no">

<p><i>This technical analysis and its contents is an original work and firstly published in the current MalwareMustDie Blog post (this site), the analysis and writing is made by <b>@unixfreaxjp</b>. 

<p>The research contents is bound to our legal <a href="https://blog.malwaremustdie.org/p/the-rule-to-share-malicious-codes-we.html">disclaimer guide line</a> in sharing of MalwareMustDie NPO research material</i>.<p>
<img src="https://lh3.googleusercontent.com/dsk-63KxE8vQ-QD1caFyx6MrmGL2Xdiwo7DZjphwXBMrKTeYz6Zbb4NyoeFtSJdfrvlOSsnScpEP2V75H5r8AViyUGee-WOuoLnx0k9uH_A80bxzezs0AqiPZI0XaGh6Dvxg7iiVDrI=w400-h566-no">

<p>Malware Must Die!
<div style='clear: both;'></div>
</div>
<div class='post-footer'>
<div class='post-footer-line post-footer-line-1'><span class='post-author vcard'>
Posted by
<span class='fn'>unixfreaxjp</span>
</span>
<span class='post-timestamp'>
at
<a class='timestamp-link' href='https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html' itemprop='url' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2019-09-28T02:35:00+09:00'>Saturday, September 28, 2019</abbr></a>
</span>
<span class='post-comment-link'>
</span>
<span class='post-icons'>
<span class='item-control blog-admin pid-1814417508'>
<a href='https://www.blogger.com/post-edit.g?blogID=8268358095554400245&postID=986273841544985370&from=pencil' title='Edit Post'>
<img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/>
</a>
</span>
</span>
<div class='post-share-buttons goog-inline-block'>
<a class='goog-inline-block share-button sb-email' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=986273841544985370&target=email' target='_blank' title='Email This'><span class='share-button-link-text'>Email This</span></a><a class='goog-inline-block share-button sb-blog' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=986273841544985370&target=blog' onclick='window.open(this.href, "_blank", "height=270,width=475"); return false;' target='_blank' title='BlogThis!'><span class='share-button-link-text'>BlogThis!</span></a><a class='goog-inline-block share-button sb-twitter' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=986273841544985370&target=twitter' target='_blank' title='Share to Twitter'><span class='share-button-link-text'>Share to Twitter</span></a><a class='goog-inline-block share-button sb-facebook' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=986273841544985370&target=facebook' onclick='window.open(this.href, "_blank", "height=430,width=640"); return false;' target='_blank' title='Share to Facebook'><span class='share-button-link-text'>Share to Facebook</span></a><a class='goog-inline-block share-button sb-pinterest' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=986273841544985370&target=pinterest' target='_blank' title='Share to Pinterest'><span class='share-button-link-text'>Share to Pinterest</span></a>
</div>
</div>
<div class='post-footer-line post-footer-line-2'><span class='post-labels'>
</span>
</div>
<div class='post-footer-line post-footer-line-3'><span class='post-location'>
</span>
</div>
</div>
</div>
<div class='comments' id='comments'>
<a name='comments'></a>
</div>
</div>

        </div></div>
      
</div>
<div class='blog-pager' id='blog-pager'>
<span id='blog-pager-newer-link'>
<a class='blog-pager-newer-link' href='https://blog.malwaremustdie.org/2019/10/more-about-my-2019hacklu-keynote-talk.html' id='Blog1_blog-pager-newer-link' title='Newer Post'>Newer Post</a>
</span>
<span id='blog-pager-older-link'>
<a class='blog-pager-older-link' href='https://blog.malwaremustdie.org/2019/09/mmd-0063-2019-summarize-report-of-three.html' id='Blog1_blog-pager-older-link' title='Older Post'>Older Post</a>
</span>
<a class='home-link' href='https://blog.malwaremustdie.org/'>Home</a>
</div>
<div class='clear'></div>
<div class='post-feeds'>
</div>
</div></div>
</div>
</div>
<div class='column-left-outer'>
<div class='column-left-inner'>
<aside>
</aside>
</div>
</div>
<div class='column-right-outer'>
<div class='column-right-inner'>
<aside>
<div class='sidebar section' id='sidebar-right-1'><div class='widget HTML' data-version='1' id='HTML1'>
<h2 class='title'>About #MalwareMustDie!</h2>
<div class='widget-content'>
Launched in August 2012, MalwareMustDie(or MMD), is a registered <span style="font-weight:bold;">Non-profit Whitehat Organization</span>, as a Blue-Teaming media  to form work-flow activities to reduce malware in the internet <a href="https://en.wikipedia.org/wiki/MalwareMustDie">..[Read More]</a>
</div>
<div class='clear'></div>
</div><div class='widget BlogSearch' data-version='1' id='BlogSearch1'>
<h2 class='title'>Search keyword</h2>
<div class='widget-content'>
<div id='BlogSearch1_form'>
<form action='https://blog.malwaremustdie.org/search' class='gsc-search-box' target='_top'>
<table cellpadding='0' cellspacing='0' class='gsc-search-box'>
<tbody>
<tr>
<td class='gsc-input'>
<input autocomplete='off' class='gsc-input' name='q' size='10' title='search' type='text' value=''/>
</td>
<td class='gsc-search-button'>
<input class='gsc-search-button' title='search' type='submit' value='Search'/>
</td>
</tr>
</tbody>
</table>
</form>
</div>
</div>
<div class='clear'></div>
</div><div class='widget LinkList' data-version='1' id='LinkList1'>
<h2>Links</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/feeds/posts/default?alt=rss'>RSS Feed</a></li>
<li><a href='https://www.malwaremustdie.org/'>Home Page</a></li>
<li><a href='https://blog.malwaremustdie.org/p/send-sample.html'>Send Sample</a></li>
<li><a href='https://www.google.com/search?q=malwaremustdie&tbm=nws&start=0'>News Search</a></li>
<li><a href='https://www.google.com/search?q=malwaremustdie&newwindow=1&client=firefox-b&biw=928&bih=462&source=lnt&tbs=cdr%3A1%2Ccd_min%3A7%2F1%2F2012%2Ccd_max%3A6%2F10%2F2016&tbm=#q=malwaremustdie&newwindow=1&tbs=cdr:1,cd_min:7/1/2012,cd_max:6/10/2016,sbd:1&start=10'>Web Search</a></li>
<li><a href='https://blog.malwaremustdie.org/p/linux-malware-research-list-updated.html'>Linux Malware</a></li>
<li><a href='https://unixfreaxjp.github.io/malwaremustdie/'>Github Repository</a></li>
<li><a href='https://www.youtube.com/playlist?list=PLSe6fLFf1YDX-2sog70220BchQmhVqQ75'>Video News, Demo, Reports</a></li>
<li><a href='https://malwared.malwaremustdie.org/'>"Malwared" Blacklist/Tracker</a></li>
<li><a href='https://blog.malwaremustdie.org/p/the-mmds-tango-down-project-archive.html'>"Tango down!" project (Archive)</a></li>
<li><a href='https://blog.malwaremustdie.org/p/the-rule-to-share-malicious-codes-we.html'>Disclaimer & Sharing Guide</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget FeaturedPost' data-version='1' id='FeaturedPost1'>
<h2 class='title'>Recommended reading</h2>
<div class='post-summary'>
<h3><a href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html'>MMD-0065-2020 - Linux/Mirai-Fbot&#39;s new encryption explained</a></h3>
<p>
 Prologue   [For the most recent information of this threat please follow this ==&gt; link ]   I setup a local brand new ARM base router I b...
</p>
<img class='image' src='https://lh3.googleusercontent.com/58YEFVF-KZsSkmn8kvB8Tgth6VmcLHujsJCXpyic5GrXNHLR9TYqkJpymvzGv2tpMNlN6vdIojrhzoRkYwRg5PLuj7Yj03fdPac-CJUEVSyFeBd1TX52UpHabUOkuaRiBjgiqTrqiW8=w300-h1864-no'/>
</div>
<style type='text/css'>
    .image {
      width: 100%;
    }
  </style>
<div class='clear'></div>
</div><div class='widget LinkList' data-version='1' id='LinkList2'>
<h2>Malware Analysis / Threat Reports (Indexed)</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html'>MMD-0067-2021 - Recent talks on Linux process injection and shellcode analysis series (ROOTCON-2020, R2CON-2020 ++)</a></li>
<li><a href='https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html'>MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat </a></li>
<li><a href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html'>MMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html'>MMD-0064-2019 - Linux/AirDropBot</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/09/mmd-0063-2019-summarize-report-of-three.html'>MMD-0063-2019 - Summary of three years research (Sept 2016-Sept 2019)</a></li>
<li><a href='https://blog.malwaremustdie.org/2017/03/mmd-0062-2017-credential-harvesting-by.html'>MMD-0062-2017 - IoT/Studels SSH-TCP Forward Threat</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/12/mmd-0061-2016-energymech-28-overkill-mod.html'>MMD-0061-2016 - EnergyMech 2.8 overkill mod</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html'>MMD-0060-2016 - Linux/UDPfker and ChinaZ threat today</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html'>MMD-0059-2016 - Linux/IRCTelnet (new Aidra)</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0058-2016-elf-linuxnyadrop.html'>MMD-0058-2016 - Linux/NyaDrop - MIPS IoT bad news</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html'>MMD-0057-2016 - Linux/LuaBot - IoT botnet as service</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html'>MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html'>MMD-0055-2016 - Linux/PnScan ; A worm that still circles around</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/06/mmd-0054-2016-atmos-botnet-and-facts.html'>MMD-0054-2016 - ATMOS botnet facts you should know</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/04/mmd-0053-2016-bit-about-elfstd-irc-bot.html'>MMD-0053-2016 - Linux/STD IRC Botnet: x00's CBack aka xxx.pokemon.inc</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html'>MMD-0052-2016 - Overview of Overall "SkidDDoS" Linux Botnet</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.html'>MMD-0051-2016 - Debunking a Tiny Shellhock's ELF backdoor</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html'>MMD-0050-2016 - Linux/Torte infection (in Wordpress)</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html'>MMD-0049-2016 - Java Trojan Downloader/RCE) for minerd</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html'>MMD-0048-2016 - DDOS.TF = ELF & Win32 DDoS service with ASP + PHP/MySQL MOF webshells</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0047-2015-sshv-ssh-bruter-elf.html'>MMD-0047-2015 - SSHV: SSH bruter Linux botnet w/hidden process rootkit</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html'>MMD-0046-2015 - Kelihos 10 nodes C2 / CNC on NJIIX (US) and its actor(Severa)</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html'>MMD-0045-2015 - Linux/KDefend: a new China origin Linux threat w/disclaimer</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html'>MMD-0044-2015 - Code disclosure of SkiDDoS threat</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0042-2015-polymorphic-in-elf.html'>MMD-0043-2015 - Linux/Xor.DDOS Polymorphic feature</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0042-2015-hunting-mr-black-ids-via.html'>MMD-0042-2015 - Geting to Linux/Mr.Black actor via Zegost </a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0041-2015-reversing-pe-mail-grabber.html'>MMD-0041-2015 - PE Mail-grabber Spambot & its C99 WebShell</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-learning-about-vbe.html'>MMD-0040-2015 - VBE Obfuscation & AutoIt Banco Trojan</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html'>MMD-0039-2015 - ChinaZ  Linux/BillGates.Lite Edition</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0037-2015-chinaz-and-ddos123xyz.html'>MMD-0038-2015 - ChinaZ's Ddos123.xyz</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/07/mmd-0037-2015-bad-shellshock.html'>MMD-0037-2015 - Shellshock & Linux/XOR.DDoS C2</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.html'>MMD-0036-2015 - KINS (ZeusVM)v2.0.0. builder & panel leaks</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0035-2015-iptablex-or-iptables-on.html'>MMD-0035-2015 - Linux/.IptabLex or .IptabLes on Shellshock(by: ChinaZ)</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html'>MMD-0034-2015 - Linux/DES.Downloader on Elasticsearch</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection_23.html'>MMD-0033-2015 - Linux/XorDDoS case CNC:HOSTASA.ORG</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html'>MMD-0032-2015 - The ELF ChinaZ "reloaded"</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/04/mmd-0031-2015-what-is-netwire-rat.html'>MMD-0031-2015 - What is NetWire (multi platform) RAT</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-malware-on.html'>MMD-0030-2015 - New malware on Shellshock: Linux/ChinaZ</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/10/mmd-0029-2015-warning-of-mayhem.html'>MMD-0029-2014 - Warning of Linux/Mayhem attack in Shellshock</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html'>MMD-0028-2014 - Linux/XOR.DDoS</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/linux-elf-bash-0day-fun-has-only-just.html'>MMD-0027-2014 - Linux/Bashdoor(GafGyt) & Small ELF Backdoor at shellshock</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/reversing-arm-architecture-elf-elknot.html'>MMD-0026-2014 - Linux/AES.DDoS: Router Malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html'>MMD-0025-2014 - Linux/.IptabLex or .IptabLes - China/PRC origin DDoS bot</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/recent-incident-report-of-linux-elf.html'>MMD-0024-2014 - Incident Report of Linux/Mayhem (LD_PRELOAD libworker.so)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/a-payback-to-ssh-bruting-crooks.html'>MMD-0023-2014 - Linux/pscan & Linux/sshscan: SSH bruter malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html'>MMD-0022-2014 - Zendran, multi-arch Linux/Llightaidra - Part 1: background, installation, reversing & C2 access</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html'>MMD-0021-2014 - Linux/Elknot: China's origin ELF DDoS+backdoor</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html'>MMD-0020-2014 - Analysis of Linux/Mayhem infection: A shared libs ELF</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/04/when-hacker-gets-hacked-disclosure.html'>MMD-0019-2014 - "Xakep.biz" evil tools</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/04/upatre-downloading-gmo-is-back-to-ssl.html'>MMD-0018-2014 - Analysis note: "Upatre" is back to SSL? </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html'>MMD-0017-2014 - A post to sting Zeus P2P/Gameover</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/cyber-intelligence-jackpos-behind-screen.html'>MMD-0016-2014 - The JackPOS Behind the Screen</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/one-upn-time-with-american-express.html'>MMD-0015-2014 - One upon the time with Phishing Session..</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/threat-intelligence-new-locker-prison.html'>MMD-0014-2014 - New Locker: Prison Locker (aka: Power Locker)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/shadow-logger-new-fud-keylogger-on-mmd.html'>MMD-0013-2014 - "Shadow Logger" - .NET's FUD Keylogger</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/arp-spoofing-malware-infection-project.html'>MMD-0012-2013 - ARP Spoofing Malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/lets-be-more-serious-about-dns-amp-elf.html'>MMD-0011-2013 - Linux/Elknot - Let's be more serious about (mitigating) DNS Amp</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/11/more-wordpress-hack-case-sites.html'>MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/11/runforrestrun-dga-is-alive-at.html'>MMD-0009-2013 - JS/RunForrestRun DGA "Comeback" with new obfuscation</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/10/a-disclosure-of-whats-behind-w00tw00t.html'>MMD-0008-2013 - What's Behind the #w00tw00t (PHP) Attack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/10/kins-source-code-for-view-download.html'>MMD-0007-2013 - KINS? No! PowerZeuS, yes! </a></li>
<li><a href='https://blog.malwaremustdie.org/2013/09/302-redirector-new-cushion-attempt-to.html'>MMD-0006-2013 - Rogue 302-Redirector "Cushion Attack"</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/09/how-greedy-cyber-scums-are-leaked-plan.html'>MMD-0005-2013 - A Leaked Malvertisement, Cutwail+BHEK & Triple Payloads of "Syria Campaign"</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/08/you-hacked-we-cracked-youre-doomed-ir.html'>MMD-0004-2013 - "You hacked.. we cracked" - "WP Super Cache" & Glazunov EK</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/the-come-back-of-ru-runforrestruns-dga.html'>MMD-0003-2013 - First "comeback" of the .RU RunForrestRun's DGA</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/how-bad-cutwail-and-other-spambot-can.html'>MMD-0002-2013 - How Cutwail and other SpamBot can fool (spoof) us?</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/proof-of-concept-of-cookiebomb-attack.html'>MMD-0001-2013 - Proof of Concept of "CookieBomb" code injection attack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/06/advisory-on-pleskapache-remote-code.html'>MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget LinkList' data-version='1' id='LinkList3'>
<h2>Presentation and Special Threat Reports</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html#rootcon2020'>ROOTCON 2020 - Deeper diving into shellcode (advanced users)</a></li>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html#r2con2020'>R2CON 2020 - So you don't like shellcode too? (for r2 RE beginners)</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/10/more-about-my-2019hacklu-keynote-talk.html'>HACK.LU 2019 Keynote talk: "Fileless Malware Infection and Linux Process Injection"</a></li>
<li><a href='https://blog.malwaremustdie.org/p/new-video-of-this-talk-has-just-been.html'>R2CON 2018 talk of: "Unpacking the non-unpackable ELF malware"</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/long-talk-av-tokyo-20135-kelihos.html'>AVTOKYO 2013.5 - Threats of Kelihos, CookieBomb, RedKit's and its Bad Actor</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/short-talk-in-botconf-2013-kelihos.html'>BOTCONF 2013 - Kelihos: Botnet, Takedown, Mule Actor</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/02/cve-2013-0634-this-ladyboyle-is-not.html'>CVE-2013-0634 This "Lady" Boyle is not a nice Lady at all</a></li>
<li><a href='https://blog.0day.jp/p/english-report-of-fhappi-freehosting.html'>APT-10 - FreeHosting APT w/PowerSploit Poison Ivy (FHAPPI) campaign aims Hongkong & Mongolia</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html'>APT-32 - The Vietnam Journalist Spy Campaign </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html'>Targeted attack of "Operation Torpedo"</a></li>
<li><a href='https://old.reddit.com/r/LinuxMalware/comments/5d0jx4/malwaremustdie_closed_blog_usa_access_as_protest/'>Protest against usage of NSA malware spytool PITCHIMPAIR & INNOVATION on friendly countries</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/11/china-elf-botnet-malware-infection.html'>China/PRC origin Linux botnet's malware infection and its distribution scheme unleashed</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/06/full-disclosure-of-309-botbotnet-source.html'>Full disclosure of 309 Bots/Botnet Source Codes Found via Germany Torrent </a></li>
<li><a href='https://blog.malwaremustdie.org/2013/03/the-evil-came-back-darkleechs-apache.html'>The Evil Came Back: Linux/Darkleech's Apache Malware Module</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/ddoser-as-service-camouflation-of-legit.html'>DDoS in a Bruter Service - A camouflage of Stresser/Booter</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/10/how-far-phpc99shell-malware-can-go-from.html'>How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future? </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/a-journey-to-abused-ftp-sites-story-of.html'>A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/a-journey-to-ftp-abused-sites-story-of.html'>A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/how-public-services-like-amazon-aws.html'>Case Study: How legitimate internet services like Amazon AWS, DropBox, Google Project/Code & ShortURL got abused to infect malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html'>Just another story of UNIX Trojan Tsunami/Kaiten.c (IRC/Bot) w/ Flooder, Backdoor at a hacked xBSD case</a></li>
<li><a href='https://blog.malwaremustdie.org/p/mon-mar-24-104232-jst-2014.html'>Discontinuation of "Malware Crusader" public forum</a></li>
<li><a href='https://blog.malwaremustdie.org/p/hall-of-shame.html'>Hall of Shame</a></li>
<li><a href='https://blog.malwaremustdie.org/p/malwaremustdie-blog-archive.html'>more..</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget LinkList' data-version='1' id='LinkList4'>
<h2>Non-indexed (older) Analysis</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2013/11/a-step-by-step-decoding-guide-for.html'>Decoding Guide for CookieBomb's (as Front-end) Latest Threat, with Evil ESD.PHP Redirection (as the Back-end)</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/a-note-of-modification-of-obfuscation.html'>Some Decoding note(s) on modified #CookieBomb attack's obfuscated injection code</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/what-is-behind-cookiebomb-attack-by.html'>What is behind #CookieBomb attack? (by @malm0u53)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-new.html'>..And another "detonating" method of CookieBomb 2.0 - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-todays.html'>..And another "detonating" method of CookieBomb 2.0 - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/10/fuzzy-in-manual-cracking-of.html'>New PseudoRandom (JS/runforestrun?xxx=)</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/12/jsrunforrestrun-infector-comeback-full.html'>JS/RunForrestRun Infection ComeBack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/04/cnc-analysis-of-citadel-trojan-bot.html'>CNC analysis of Citadel Trojan Bot-Agent - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/04/wireshark-analysis-of-citadel-trojan.html'>CNC analysis of Citadel Trojan Bot-Agent - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/09/cracking-of-strong-encrypted-phpirc-bot.html'>Cracking of Strong Encrypted PHP / IRC Bot (PBOT) </a></li>
<li><a href='https://blog.malwaremustdie.org/p/malwaremustdie-blog-archive.html'>more..</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget Feed' data-version='1' id='Feed2'>
<h2>
</h2>
<div class='widget-content' id='Feed2_feedItemListDisplay'>
<span style='filter: alpha(25); opacity: 0.25;'>
<a href='https://blog.0day.jp/feeds/posts/default?alt=rss'>Loading...</a>
</span>
</div>
<div class='clear'></div>
</div><div class='widget Subscribe' data-version='1' id='Subscribe1'>
<div style='white-space:nowrap'>
<h2 class='title'>Subscribe To</h2>
<div class='widget-content'>
<div class='subscribe-wrapper subscribe-type-POST'>
<div class='subscribe expanded subscribe-type-POST' id='SW_READER_LIST_Subscribe1POST' style='display:none;'>
<div class='top'>
<span class='inner' onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Posts
</span>
<div class='feed-reader-links'>
<a class='feed-reader-link' href='https://www.netvibes.com/subscribe.php?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2Fposts%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-netvibes.png'/>
</a>
<a class='feed-reader-link' href='https://add.my.yahoo.com/content?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2Fposts%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-yahoo.png'/>
</a>
<a class='feed-reader-link' href='https://blog.malwaremustdie.org/feeds/posts/default' target='_blank'>
<img align='absmiddle' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
                  Atom
                </a>
</div>
</div>
<div class='bottom'></div>
</div>
<div class='subscribe' id='SW_READER_LIST_CLOSED_Subscribe1POST' onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<div class='top'>
<span class='inner'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<span onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Posts
</span>
</span>
</div>
<div class='bottom'></div>
</div>
</div>
<div class='subscribe-wrapper subscribe-type-PER_POST'>
<div class='subscribe expanded subscribe-type-PER_POST' id='SW_READER_LIST_Subscribe1PER_POST' style='display:none;'>
<div class='top'>
<span class='inner' onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Comments
</span>
<div class='feed-reader-links'>
<a class='feed-reader-link' href='https://www.netvibes.com/subscribe.php?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2F986273841544985370%2Fcomments%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-netvibes.png'/>
</a>
<a class='feed-reader-link' href='https://add.my.yahoo.com/content?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2F986273841544985370%2Fcomments%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-yahoo.png'/>
</a>
<a class='feed-reader-link' href='https://blog.malwaremustdie.org/feeds/986273841544985370/comments/default' target='_blank'>
<img align='absmiddle' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
                  Atom
                </a>
</div>
</div>
<div class='bottom'></div>
</div>
<div class='subscribe' id='SW_READER_LIST_CLOSED_Subscribe1PER_POST' onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<div class='top'>
<span class='inner'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<span onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Comments
</span>
</span>
</div>
<div class='bottom'></div>
</div>
</div>
<div style='clear:both'></div>
</div>
</div>
<div class='clear'></div>
</div><div class='widget HTML' data-version='1' id='HTML4'>
<div class='widget-content'>
<img src="https://lh5.googleusercontent.com/proxy/7a-Sy6taVMPz5qCfJcwarW7nnRlF-fwSjHuPpm4G-slGou22nrtKfHm7RVsFcKWJHqHb9Q_sMZs-ERk=s0-d" width="0" height="0" border="0">
<!--
&#9769;act free from sins,
&#9769;speak the truth,
&#9769;be just,
&#9769;be brave,
&#9769;have faith,
&#9769;help, support, teach the weaks ,
&#9769;non nobis domine sed nomine tuo da gloriam.
-->
</div>
<div class='clear'></div>
</div></div>
</aside>
</div>
</div>
</div>
<div style='clear: both'></div>
<!-- columns -->
</div>
<!-- main -->
</div>
</div>
<div class='main-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<footer>
<div class='footer-outer'>
<div class='footer-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left footer-fauxborder-left'>
<div class='fauxborder-right footer-fauxborder-right'></div>
<div class='region-inner footer-inner'>
<div class='foot no-items section' id='footer-1'></div>
<table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'>
<tbody>
<tr>
<td class='first columns-cell'>
<div class='foot no-items section' id='footer-2-1'></div>
</td>
<td class='columns-cell'>
<div class='foot no-items section' id='footer-2-2'></div>
</td>
</tr>
</tbody>
</table>
<!-- outside of the include in order to lock Attribution widget -->
<div class='foot section' id='footer-3'><div class='widget Attribution' data-version='1' id='Attribution1'>
<div class='widget-content' style='text-align: center;'>
(c)MalwareMustDie, 2012-2021. Read LEGAL DISCLAIMER before quoting or copying our contents. Powered by <a href='https://www.blogger.com' target='_blank'>Blogger</a>.
</div>
<div class='clear'></div>
</div></div>
</div>
</div>
<div class='footer-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</footer>
<!-- content -->
</div>
</div>
<div class='content-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<script type='text/javascript'>
    window.setTimeout(function() {
        document.body.className = document.body.className.replace('loading', '');
      }, 10);
  </script>
<script type='text/javascript'>
      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
      })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
      ga('create', 'UA-180537376-1', 'auto', 'blogger');
      ga('blogger.send', 'pageview');
    </script>
<!--It is your responsibility to notify your visitors about cookies used and data collected on your blog. Blogger makes a standard notification available for you to use on your blog, and you can customise it or replace it with your own notice. See http://www.blogger.com/go/cookiechoices for more details.-->
<script defer='' src='/js/cookienotice.js'></script>
<script>
    document.addEventListener('DOMContentLoaded', function(event) {
      window.cookieChoices && cookieChoices.showCookieConsentBar && cookieChoices.showCookieConsentBar(
          (window.cookieOptions && cookieOptions.msg) || 'This site uses cookies from Google to deliver its services and to analyse traffic. Your IP address and user agent are shared with Google, together with performance and security metrics, to ensure quality of service, generate usage statistics and to detect and address abuse.',
          (window.cookieOptions && cookieOptions.close) || 'Ok',
          (window.cookieOptions && cookieOptions.learn) || 'Learn more',
          (window.cookieOptions && cookieOptions.link) || 'https://www.blogger.com/go/blogspot-cookies');
    });
  </script>

<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/1434883710-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY5d-Fu4edG9QuPa9aUJNkSglsiGqA:1640306105647';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d8268358095554400245','//blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html','8268358095554400245');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '8268358095554400245', 'title': 'Malware Must Die!', 'url': 'https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html', 'canonicalUrl': 'https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html', 'homepageUrl': 'https://blog.malwaremustdie.org/', 'searchUrl': 'https://blog.malwaremustdie.org/search', 'canonicalHomepageUrl': 'https://blog.malwaremustdie.org/', 'blogspotFaviconUrl': 'https://blog.malwaremustdie.org/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'UA-180537376-1', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Malware Must Die! - RSS\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/8268358095554400245/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/986273841544985370/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'ieCssRetrofitLinks': '\x3c!--[if IE]\x3e\x3cscript type\x3d\x22text/javascript\x22 src\x3d\x22https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js\x22\x3e\x3c/script\x3e\n\x3c![endif]--\x3e', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/20752fd4df382411', 'plusOneApiSrc': 'https://apis.google.com/js/plusone.js', 'disableGComments': true, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '986273841544985370', 'postImageThumbnailUrl': 'https://lh3.googleusercontent.com/dxOB7ZuVg-fBrRmstt3EmVsaleV_-P9L6HxsIHK5w3puttv_w8pBzUM3sao1qFynjKVehsyIqcuW3dtU-sfUmA3l6TXGot255o7mfQ_tKl2KDS3XZ6s9_8vTKbVwK81VjsnENa4y32U\x3ds72-w300-c-h810-no', 'postImageUrl': 'https://lh3.googleusercontent.com/dxOB7ZuVg-fBrRmstt3EmVsaleV_-P9L6HxsIHK5w3puttv_w8pBzUM3sao1qFynjKVehsyIqcuW3dtU-sfUmA3l6TXGot255o7mfQ_tKl2KDS3XZ6s9_8vTKbVwK81VjsnENa4y32U\x3dw300-h810-no', 'pageName': 'MMD-0064-2019 - Linux/AirDropBot', 'pageTitle': 'Malware Must Die!: MMD-0064-2019 - Linux/AirDropBot', 'metaDescription': ''}}, {'name': 'features', 'data': {'sharing_get_link_dialog': 'true', 'sharing_native': 'false'}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'MMD-0064-2019 - Linux/AirDropBot', 'description': 'MalwareMustDie (MMD) is a whitehat workgroup to reduce malware, this blog advocates research on new malware threats \x26 Linux malware.', 'featuredImage': 'https://lh3.googleusercontent.com/dxOB7ZuVg-fBrRmstt3EmVsaleV_-P9L6HxsIHK5w3puttv_w8pBzUM3sao1qFynjKVehsyIqcuW3dtU-sfUmA3l6TXGot255o7mfQ_tKl2KDS3XZ6s9_8vTKbVwK81VjsnENa4y32U\x3dw300-h810-no', 'url': 'https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 986273841544985370}}]);
_WidgetManager._RegisterWidget('_NavbarView', new _WidgetInfo('Navbar1', 'navbar', document.getElementById('Navbar1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/1619306617-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/4076883957-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML1', 'sidebar-right-1', document.getElementById('HTML1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogSearchView', new _WidgetInfo('BlogSearch1', 'sidebar-right-1', document.getElementById('BlogSearch1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList1', 'sidebar-right-1', document.getElementById('LinkList1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_FeaturedPostView', new _WidgetInfo('FeaturedPost1', 'sidebar-right-1', document.getElementById('FeaturedPost1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList2', 'sidebar-right-1', document.getElementById('LinkList2'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList3', 'sidebar-right-1', document.getElementById('LinkList3'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList4', 'sidebar-right-1', document.getElementById('LinkList4'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_FeedView', new _WidgetInfo('Feed2', 'sidebar-right-1', document.getElementById('Feed2'), {'title': '', 'showItemDate': true, 'showItemAuthor': false, 'feedUrl': 'https://blog.0day.jp/feeds/posts/default?alt\x3drss', 'numItemsShow': 5, 'loadingMsg': 'Loading...', 'openLinksInNewWindow': false, 'useFeedWidgetServ': 'true'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_SubscribeView', new _WidgetInfo('Subscribe1', 'sidebar-right-1', document.getElementById('Subscribe1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML4', 'sidebar-right-1', document.getElementById('HTML4'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_AttributionView', new _WidgetInfo('Attribution1', 'footer-3', document.getElementById('Attribution1'), {}, 'displayModeFull'));
</script>
</body>
</html>